diff options
| author | Nikolay Aleksandrov <nikolay@redhat.com> | 2014-07-24 10:50:37 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-07-28 01:34:36 -0400 |
| commit | 1bab4c75075b84675b96992ac47580a57c26958d (patch) | |
| tree | d015ddcf9d9d16e423efb63e9ddbd46fb02d95c3 /net/ipv4 | |
| parent | ab1c724f633080ed2e8a0cfe61654599b55cf8f9 (diff) | |
inet: frag: set limits and make init_net's high_thresh limit global
This patch makes init_net's high_thresh limit to be the maximum for all
namespaces, thus introducing a global memory limit threshold equal to the
sum of the individual high_thresh limits which are capped.
It also introduces some sane minimums for low_thresh as it shouldn't be
able to drop below 0 (or > high_thresh in the unsigned case), and
overall low_thresh should not ever be above high_thresh, so we make the
following relations for a namespace:
init_net:
high_thresh - max(not capped), min(init_net low_thresh)
low_thresh - max(init_net high_thresh), min (0)
all other namespaces:
high_thresh = max(init_net high_thresh), min(namespace's low_thresh)
low_thresh = max(namespace's high_thresh), min(0)
The major issue with having low_thresh > high_thresh is that we'll
schedule eviction but never evict anything and thus rely only on the
timers.
Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/ip_fragment.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c index ccee68dffd6e..634fc31aa243 100644 --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c | |||
| @@ -700,14 +700,17 @@ static struct ctl_table ip4_frags_ns_ctl_table[] = { | |||
| 700 | .data = &init_net.ipv4.frags.high_thresh, | 700 | .data = &init_net.ipv4.frags.high_thresh, |
| 701 | .maxlen = sizeof(int), | 701 | .maxlen = sizeof(int), |
| 702 | .mode = 0644, | 702 | .mode = 0644, |
| 703 | .proc_handler = proc_dointvec | 703 | .proc_handler = proc_dointvec_minmax, |
| 704 | .extra1 = &init_net.ipv4.frags.low_thresh | ||
| 704 | }, | 705 | }, |
| 705 | { | 706 | { |
| 706 | .procname = "ipfrag_low_thresh", | 707 | .procname = "ipfrag_low_thresh", |
| 707 | .data = &init_net.ipv4.frags.low_thresh, | 708 | .data = &init_net.ipv4.frags.low_thresh, |
| 708 | .maxlen = sizeof(int), | 709 | .maxlen = sizeof(int), |
| 709 | .mode = 0644, | 710 | .mode = 0644, |
| 710 | .proc_handler = proc_dointvec | 711 | .proc_handler = proc_dointvec_minmax, |
| 712 | .extra1 = &zero, | ||
| 713 | .extra2 = &init_net.ipv4.frags.high_thresh | ||
| 711 | }, | 714 | }, |
| 712 | { | 715 | { |
| 713 | .procname = "ipfrag_time", | 716 | .procname = "ipfrag_time", |
| @@ -752,7 +755,10 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net) | |||
| 752 | goto err_alloc; | 755 | goto err_alloc; |
| 753 | 756 | ||
| 754 | table[0].data = &net->ipv4.frags.high_thresh; | 757 | table[0].data = &net->ipv4.frags.high_thresh; |
| 758 | table[0].extra1 = &net->ipv4.frags.low_thresh; | ||
| 759 | table[0].extra2 = &init_net.ipv4.frags.high_thresh; | ||
| 755 | table[1].data = &net->ipv4.frags.low_thresh; | 760 | table[1].data = &net->ipv4.frags.low_thresh; |
| 761 | table[1].extra2 = &net->ipv4.frags.high_thresh; | ||
| 756 | table[2].data = &net->ipv4.frags.timeout; | 762 | table[2].data = &net->ipv4.frags.timeout; |
| 757 | 763 | ||
| 758 | /* Don't export sysctls to unprivileged users */ | 764 | /* Don't export sysctls to unprivileged users */ |