|
Hello,
This patchset is part 3 of changes that accumulated in
recent time. It is for nf-next and should be applied when the patches
from part 1 and 2 are already applied. It contains changes that convert
the connection and service tables to be per-net and targets more netns
isolation when IPVS is used in large setups.
First patch adds useful wrappers to rculist_bl.h, the
hlist_bl methods IPVS will use in the following patches. The other
patches are IPVS-specific.
All patches here come from the work
"ipvs: per-net tables and optimizations" last posted
on 19 Oct 2025 as v6, with the following changes:
Patch 1 comes from v6/patch 1 without changes
Patch 2 comes from v6/patch 7 with added comments
Patch 3 comes from v6/patch 8 without changes
Patch 4 comes from v6/patch 9 with some changes due to the
v6/patch 11 position change
Patch 5 comes from v6/patch 12 without changes
As result, the following patches will:
* Add new wrappers into rculist_bl.h
* Add infrastructure for resizable hash tables based on hlist_bl
which we will use for services and connections: hlists with
per-bucket bit lock in the heads. The resizing delays RCU lookups
on a bucket level with seqcounts which are protected with spin locks.
The entries keep the table ID and the hash value which allows to
filter the entries without touching many cache lines and to
unlink the entries without lookup by keys.
* Change the 256-bucket service hash table to be resizable in the
range of 4..20 bits depending on the added services and use jhash
hashing to reduce the collisions.
* Change the global connection table to be per-net and resizable
in the range of 256..ip_vs_conn_tab_size. As the connections are
hashed by using remote addresses and ports, use siphash instead
of jhash for better security.
* Make the connection hashing more secure for setups with multiple
services. Hashing only by remote address and port (client info)
is not enough. To reduce the possible hash collisions add the
used virtual address/port (local info) into the hash and as a side
effect the MASQ connections will be double hashed into the
hash table to match the traffic from real servers:
OLD:
- all methods: c_list node: proto, caddr:cport
NEW:
- all methods: hn0 node (dir 0): proto, caddr:cport -> vaddr:vport
- MASQ method: hn1 node (dir 1): proto, daddr:dport -> caddr:cport
Julian Anastasov (5):
rculist_bl: add hlist_bl_for_each_entry_continue_rcu
ipvs: add resizable hash tables
ipvs: use resizable hash table for services
ipvs: switch to per-net connection table
ipvs: use more keys for connection hashing
include/linux/rculist_bl.h | 49 +-
include/net/ip_vs.h | 376 +++++++++--
net/netfilter/ipvs/ip_vs_conn.c | 992 ++++++++++++++++++++++--------
net/netfilter/ipvs/ip_vs_core.c | 179 ++++++
net/netfilter/ipvs/ip_vs_ctl.c | 691 +++++++++++++++++----
net/netfilter/ipvs/ip_vs_pe_sip.c | 4 +-
net/netfilter/ipvs/ip_vs_sync.c | 23 +
7 files changed, 1880 insertions(+), 434 deletions(-)
--
2.53.0
|
