netfilter: flowtable: add nf_flowtable_time_stamp
This patch adds nf_flowtable_time_stamp and updates the existing code to
use it.
This patch is also implicitly fixing up hardware statistic fetching via
nf_flow_offload_stats() where casting to u32 is missing. Use
nf_flow_timeout_delta() to fix this.
Fixes: c29f74e0df ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: wenxu <wenxu@ucloud.cn>
This commit is contained in:
Pablo Neira Ayuso
@@ -106,6 +106,12 @@ struct flow_offload {
|
|||||||
};
|
};
|
||||||
|
|
||||||
#define NF_FLOW_TIMEOUT (30 * HZ)
|
#define NF_FLOW_TIMEOUT (30 * HZ)
|
||||||
|
#define nf_flowtable_time_stamp (u32)jiffies
|
||||||
|
|
||||||
|
static inline __s32 nf_flow_timeout_delta(unsigned int timeout)
|
||||||
|
{
|
||||||
|
return (__s32)(timeout - nf_flowtable_time_stamp);
|
||||||
|
}
|
||||||
|
|
||||||
struct nf_flow_route {
|
struct nf_flow_route {
|
||||||
struct {
|
struct {
|
||||||
|
|||||||
@@ -134,11 +134,6 @@ static void flow_offload_fixup_tcp(struct ip_ct_tcp *tcp)
|
|||||||
#define NF_FLOWTABLE_TCP_PICKUP_TIMEOUT (120 * HZ)
|
#define NF_FLOWTABLE_TCP_PICKUP_TIMEOUT (120 * HZ)
|
||||||
#define NF_FLOWTABLE_UDP_PICKUP_TIMEOUT (30 * HZ)
|
#define NF_FLOWTABLE_UDP_PICKUP_TIMEOUT (30 * HZ)
|
||||||
|
|
||||||
static inline __s32 nf_flow_timeout_delta(unsigned int timeout)
|
|
||||||
{
|
|
||||||
return (__s32)(timeout - (u32)jiffies);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void flow_offload_fixup_ct_timeout(struct nf_conn *ct)
|
static void flow_offload_fixup_ct_timeout(struct nf_conn *ct)
|
||||||
{
|
{
|
||||||
const struct nf_conntrack_l4proto *l4proto;
|
const struct nf_conntrack_l4proto *l4proto;
|
||||||
@@ -232,7 +227,7 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow)
|
|||||||
{
|
{
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;
|
flow->timeout = nf_flowtable_time_stamp + NF_FLOW_TIMEOUT;
|
||||||
|
|
||||||
err = rhashtable_insert_fast(&flow_table->rhashtable,
|
err = rhashtable_insert_fast(&flow_table->rhashtable,
|
||||||
&flow->tuplehash[0].node,
|
&flow->tuplehash[0].node,
|
||||||
|
|||||||
@@ -280,7 +280,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
|
|||||||
if (nf_flow_nat_ip(flow, skb, thoff, dir) < 0)
|
if (nf_flow_nat_ip(flow, skb, thoff, dir) < 0)
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
|
|
||||||
flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;
|
flow->timeout = nf_flowtable_time_stamp + NF_FLOW_TIMEOUT;
|
||||||
iph = ip_hdr(skb);
|
iph = ip_hdr(skb);
|
||||||
ip_decrease_ttl(iph);
|
ip_decrease_ttl(iph);
|
||||||
skb->tstamp = 0;
|
skb->tstamp = 0;
|
||||||
@@ -509,7 +509,7 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
|
|||||||
if (nf_flow_nat_ipv6(flow, skb, dir) < 0)
|
if (nf_flow_nat_ipv6(flow, skb, dir) < 0)
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
|
|
||||||
flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;
|
flow->timeout = nf_flowtable_time_stamp + NF_FLOW_TIMEOUT;
|
||||||
ip6h = ipv6_hdr(skb);
|
ip6h = ipv6_hdr(skb);
|
||||||
ip6h->hop_limit--;
|
ip6h->hop_limit--;
|
||||||
skb->tstamp = 0;
|
skb->tstamp = 0;
|
||||||
|
|||||||
@@ -781,9 +781,9 @@ void nf_flow_offload_stats(struct nf_flowtable *flowtable,
|
|||||||
struct flow_offload *flow)
|
struct flow_offload *flow)
|
||||||
{
|
{
|
||||||
struct flow_offload_work *offload;
|
struct flow_offload_work *offload;
|
||||||
s64 delta;
|
__s32 delta;
|
||||||
|
|
||||||
delta = flow->timeout - jiffies;
|
delta = nf_flow_timeout_delta(flow->timeout);
|
||||||
if ((delta >= (9 * NF_FLOW_TIMEOUT) / 10) ||
|
if ((delta >= (9 * NF_FLOW_TIMEOUT) / 10) ||
|
||||||
flow->flags & FLOW_OFFLOAD_HW_DYING)
|
flow->flags & FLOW_OFFLOAD_HW_DYING)
|
||||||
return;
|
return;
|
||||||
|
|||||||
Reference in New Issue
Block a user