lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALHBjYFn_qB=Oo3TTg0znOnNz9rX5jP+eYSZbatAN94ys8Tzmw@mail.gmail.com>
Date: Thu, 11 Jul 2024 13:40:02 +0800
From: Changliang Wu <changliang.wu@...rtx.com>
To: pablo@...filter.org, kadlec@...filter.org, davem@...emloft.net, 
	edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com
Cc: netfilter-devel@...r.kernel.org, coreteam@...filter.org, 
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] netfilter: ctnetlink: support CTA_FILTER for flush

PING


Changliang Wu <changliang.wu@...rtx.com> 于2024年6月20日周四 19:35写道:
>
> From cb8aa9a, we can use kernel side filtering for dump, but
> this capability is not available for flush.
>
> This Patch allows advanced filter with CTA_FILTER for flush
>
> Performace
> 1048576 ct flows in total, delete 50,000 flows by origin src ip
> 3.06s -> dump all, compare and delete
> 584ms -> directly flush with filter
>
> Signed-off-by: Changliang Wu <changliang.wu@...rtx.com>
> ---
>  net/netfilter/nf_conntrack_netlink.c | 9 +++------
>  1 file changed, 3 insertions(+), 6 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index 3b846cbdc..93afe57d9 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -1579,9 +1579,6 @@ static int ctnetlink_flush_conntrack(struct net *net,
>         };
>
>         if (ctnetlink_needs_filter(family, cda)) {
> -               if (cda[CTA_FILTER])
> -                       return -EOPNOTSUPP;
> -
>                 filter = ctnetlink_alloc_filter(cda, family);
>                 if (IS_ERR(filter))
>                         return PTR_ERR(filter);
> @@ -1610,14 +1607,14 @@ static int ctnetlink_del_conntrack(struct sk_buff *skb,
>         if (err < 0)
>                 return err;
>
> -       if (cda[CTA_TUPLE_ORIG])
> +       if (cda[CTA_TUPLE_ORIG] && !cda[CTA_FILTER])
>                 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
>                                             family, &zone);
> -       else if (cda[CTA_TUPLE_REPLY])
> +       else if (cda[CTA_TUPLE_REPLY] && !cda[CTA_FILTER])
>                 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
>                                             family, &zone);
>         else {
> -               u_int8_t u3 = info->nfmsg->version ? family : AF_UNSPEC;
> +               u8 u3 = info->nfmsg->version || cda[CTA_FILTER] ? family : AF_UNSPEC;
>
>                 return ctnetlink_flush_conntrack(info->net, cda,
>                                                  NETLINK_CB(skb).portid,
> --
> 2.43.0
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ