Re: [PATCHv6 net-next 11/14] ipvs: no_cport and dropentry counters can b

To:	Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Subject:	Re: [PATCHv6 net-next 11/14] ipvs: no_cport and dropentry counters can be per-net
Cc:	Simon Horman <horms@xxxxxxxxxxxx>, lvs-devel@xxxxxxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxx, Dust Li <dust.li@xxxxxxxxxxxxxxxxx>, Jiejian Wu <jiejian@xxxxxxxxxxxxxxxxx>, rcu@xxxxxxxxxxxxxxx
From:	Julian Anastasov <ja@xxxxxx>
Date:	Wed, 26 Nov 2025 22:08:45 +0200 (EET)

        Hello,

On Mon, 24 Nov 2025, Pablo Neira Ayuso wrote:

> On Sun, Oct 19, 2025 at 06:57:08PM +0300, Julian Anastasov wrote:
> > With using per-net conn_tab these counters do not need to be
> > global anymore.
> > 
> > Signed-off-by: Julian Anastasov <ja@xxxxxx>
> > ---
> >  include/net/ip_vs.h             |  2 ++
> >  net/netfilter/ipvs/ip_vs_conn.c | 62 ++++++++++++++++++++-------------
> >  2 files changed, 39 insertions(+), 25 deletions(-)
> > 
> > diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
> > index ce77800853ab..1b64c5ee2ac2 100644
> > --- a/include/net/ip_vs.h
> > +++ b/include/net/ip_vs.h

> > +   s8                      dropentry_counters[8];

> > diff --git a/net/netfilter/ipvs/ip_vs_conn.c 
> > b/net/netfilter/ipvs/ip_vs_conn.c
> > index bbce5b45b622..55000252c72c 100644
> > --- a/net/netfilter/ipvs/ip_vs_conn.c
> > +++ b/net/netfilter/ipvs/ip_vs_conn.c

> >  static inline int todrop_entry(struct ip_vs_conn *cp)
> >  {
> > -   /*
> > -    * The drop rate array needs tuning for real environments.
> > -    * Called from timer bh only => no locking
> > -    */
> > -   static const signed char todrop_rate[9] = {0, 1, 2, 3, 4, 5, 6, 7, 8};
> > -   static signed char todrop_counter[9] = {0};

        We go from 9 to 8, see below.

> > +   struct netns_ipvs *ipvs = cp->ipvs;
> >     int i;
> >  
> >     /* if the conn entry hasn't lasted for 60 seconds, don't drop it.
> > @@ -1579,15 +1585,17 @@ static inline int todrop_entry(struct ip_vs_conn 
> > *cp)
> >     if (time_before(cp->timeout + jiffies, cp->timer.expires + 60*HZ))
> >             return 0;
> >  
> > -   /* Don't drop the entry if its number of incoming packets is not
> > -      located in [0, 8] */
> > +   /* Drop only conns with number of incoming packets in [1..8] range */
> >     i = atomic_read(&cp->in_pkts);
> > -   if (i > 8 || i < 0) return 0;
> > +   if (i > 8 || i < 1)
> 
> Why did this change? How is this related to the per-netns update?

        Using global state in todrop_counter[] is not good,
so we move it to the ipvs struct. We do not want
floods in one netns to lead to drops in another netns.

        The funny part is that todrop_rate[0] is 0,
so 'if (!todrop_rate[i]) return 0;' will do nothing
for i = 0. And I simply converted it to array [8] and
translate the packet count 1..8 to index 0..7. So,
there is no change in functionality.

> > +           return 0;
> >  
> > -   if (!todrop_rate[i]) return 0;
> > -   if (--todrop_counter[i] > 0) return 0;
> > +   i--;
> > +   if (--ipvs->dropentry_counters[i] > 0)
> > +           return 0;
> >  
> > -   todrop_counter[i] = todrop_rate[i];
> > +   /* Prefer to drop conns with less number of incoming packets */
> > +   ipvs->dropentry_counters[i] = i + 1;
> >     return 1;
> >  }

Regards

--
Julian Anastasov <ja@xxxxxx>

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [PATCHv6 net-next 11/14] ipvs: no_cport and dropentry counters can be per-net, Pablo Neira Ayuso Re: [PATCHv6 net-next 11/14] ipvs: no_cport and dropentry counters can be per-net, Julian Anastasov <=

Previous by Date:	Re: [PATCHv6 net-next 07/14] ipvs: add resizable hash tables, Julian Anastasov
Next by Date:	Re: [PATCHv6 net-next 00/14] ipvs: per-net tables and optimizations, Julian Anastasov
Previous by Thread:	Re: [PATCHv6 net-next 11/14] ipvs: no_cport and dropentry counters can be per-net, Pablo Neira Ayuso
Next by Thread:	Re: [PATCHv6 net-next 13/14] ipvs: add ip_vs_status info, Pablo Neira Ayuso
Indexes:	[Date] [Thread] [Top] [All Lists]