netfilter: accounting rework: ct_extend + 64bit counters (v4)

Initially netfilter has had 64bit counters for conntrack-based accounting, but it was changed in 2.6.14 to save memory. Unfortunately in-kernel 64bit counters are still required, for example for "connbytes" extension. However, 64bit counters waste a lot of memory and it was not possible to enable/disable it runtime. This patch: - reimplements accounting with respect to the extension infrastructure, - makes one global version of seq_print_acct() instead of two seq_print_counters(), - makes it possible to enable it at boot time (for CONFIG_SYSCTL/CONFIG_SYSFS=n), - makes it possible to enable/disable it at runtime by sysctl or sysfs, - extends counters from 32bit to 64bit, - renames ip_conntrack_counter -> nf_conn_counter, - enables accounting code unconditionally (no longer depends on CONFIG_NF_CT_ACCT), - set initial accounting enable state based on CONFIG_NF_CT_ACCT - removes buggy IPCT_COUNTER_FILLING event handling. If accounting is enabled newly created connections get additional acct extend. Old connections are not changed as it is not possible to add a ct_extend area to confirmed conntrack. Accounting is performed for all connections with acct extend regardless of a current state of "net.netfilter.nf_conntrack_acct". Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Krzysztof Piotr Oledzki <ole@ans.pl> 2008-07-21 13:01:34 -0400
committer: David S. Miller <davem@davemloft.net> 2008-07-21 13:10:58 -0400
commit: 584015727a3b88b46602b20077b46cd04f8b4ab3 (patch)
tree: a9b4ec18e2181e03ee24b59b30f7408bcbcf140c /net/ipv4
parent: 07a7c1070ed382ad4562e3a0d453fd2001d92f7b (diff)
1 files changed, 3 insertions, 15 deletions
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
index 40a46d482490..3a020720e40b 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
@@ -18,19 +18,7 @@
 #include <net/netfilter/nf_conntrack_l3proto.h>
 #include <net/netfilter/nf_conntrack_l4proto.h>
 #include <net/netfilter/nf_conntrack_expect.h>
+#include <net/netfilter/nf_conntrack_acct.h>
-#ifdef CONFIG_NF_CT_ACCT
-static unsigned int
-seq_print_counters(struct seq_file *s,
-                   const struct ip_conntrack_counter *counter)
-{
-        return seq_printf(s, "packets=%llu bytes=%llu ",
-                          (unsigned long long)counter->packets,
-                          (unsigned long long)counter->bytes);
-}
-#else
-#define seq_print_counters(x, y)        0
-#endif
 struct ct_iter_state {
        unsigned int bucket;
@@ -127,7 +115,7 @@ static int ct_seq_show(struct seq_file *s, void *v)
                        l3proto, l4proto))
                return -ENOSPC;
-        if (seq_print_counters(s, &ct->counters[IP_CT_DIR_ORIGINAL]))
+        if (seq_print_acct(s, ct, IP_CT_DIR_ORIGINAL))
                return -ENOSPC;
        if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status)))
@@ -138,7 +126,7 @@ static int ct_seq_show(struct seq_file *s, void *v)
                        l3proto, l4proto))
                return -ENOSPC;
-        if (seq_print_counters(s, &ct->counters[IP_CT_DIR_REPLY]))
+        if (seq_print_acct(s, ct, IP_CT_DIR_REPLY))
                return -ENOSPC;
        if (test_bit(IPS_ASSURED_BIT, &ct->status))
author	Krzysztof Piotr Oledzki <ole@ans.pl>	2008-07-21 13:01:34 -0400
committer	David S. Miller <davem@davemloft.net>	2008-07-21 13:10:58 -0400
commit	584015727a3b88b46602b20077b46cd04f8b4ab3 (patch)
tree	a9b4ec18e2181e03ee24b59b30f7408bcbcf140c /net/ipv4
parent	07a7c1070ed382ad4562e3a0d453fd2001d92f7b (diff)

diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c index 40a46d482490..3a020720e40b 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
@@ -18,19 +18,7 @@
18	#include <net/netfilter/nf_conntrack_l3proto.h>	18	#include <net/netfilter/nf_conntrack_l3proto.h>
19	#include <net/netfilter/nf_conntrack_l4proto.h>	19	#include <net/netfilter/nf_conntrack_l4proto.h>
20	#include <net/netfilter/nf_conntrack_expect.h>	20	#include <net/netfilter/nf_conntrack_expect.h>
21		21	#include <net/netfilter/nf_conntrack_acct.h>
22	#ifdef CONFIG_NF_CT_ACCT
23	static unsigned int
24	seq_print_counters(struct seq_file *s,
25	const struct ip_conntrack_counter *counter)
26	{
27	return seq_printf(s, "packets=%llu bytes=%llu ",
28	(unsigned long long)counter->packets,
29	(unsigned long long)counter->bytes);
30	}
31	#else
32	#define seq_print_counters(x, y) 0
33	#endif
34		22
35	struct ct_iter_state {	23	struct ct_iter_state {
36	unsigned int bucket;	24	unsigned int bucket;
@@ -127,7 +115,7 @@ static int ct_seq_show(struct seq_file s, void v)
127	l3proto, l4proto))	115	l3proto, l4proto))
128	return -ENOSPC;	116	return -ENOSPC;
129		117
130	if (seq_print_counters(s, &ct->counters[IP_CT_DIR_ORIGINAL]))	118	if (seq_print_acct(s, ct, IP_CT_DIR_ORIGINAL))
131	return -ENOSPC;	119	return -ENOSPC;
132		120
133	if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status)))	121	if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status)))
@@ -138,7 +126,7 @@ static int ct_seq_show(struct seq_file s, void v)
138	l3proto, l4proto))	126	l3proto, l4proto))
139	return -ENOSPC;	127	return -ENOSPC;
140		128
141	if (seq_print_counters(s, &ct->counters[IP_CT_DIR_REPLY]))	129	if (seq_print_acct(s, ct, IP_CT_DIR_REPLY))
142	return -ENOSPC;	130	return -ENOSPC;
143		131
144	if (test_bit(IPS_ASSURED_BIT, &ct->status))	132	if (test_bit(IPS_ASSURED_BIT, &ct->status))