linux/include/net/netfilter
Florian Westphal e1bf168774 netfilter: nat: Revert "netfilter: nat: convert nat bysrc hash to rhashtable"
This reverts commit 870190a9ec.

It was not a good idea. The custom hash table was a much better
fit for this purpose.

A fast lookup is not essential, in fact for most cases there is no lookup
at all because original tuple is not taken and can be used as-is.
What needs to be fast is insertion and deletion.

rhlist removal however requires a rhlist walk.
We can have thousands of entries in such a list if source port/addresses
are reused for multiple flows, if this happens removal requests are so
expensive that deletions of a few thousand flows can take several
seconds(!).

The advantages that we got from rhashtable are:
1) table auto-sizing
2) multiple locks

1) would be nice to have, but it is not essential as we have at
most one lookup per new flow, so even a million flows in the bysource
table are not a problem compared to current deletion cost.
2) is easy to add to custom hash table.

I tried to add hlist_node to rhlist to speed up rhltable_remove but this
isn't doable without changing semantics.  rhltable_remove_fast will
check that the to-be-deleted object is part of the table and that
requires a list walk that we want to avoid.

Furthermore, using hlist_node increases size of struct rhlist_head, which
in turn increases nf_conn size.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=196821
Reported-by: Ivan Babrou <ibobrik@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-09-08 18:55:50 +02:00
..
ipv4
ipv6
br_netfilter.h net: convert nf_bridge_info.use from atomic_t to refcount_t 2017-07-01 07:39:07 -07:00
nf_conntrack_acct.h
nf_conntrack_core.h
nf_conntrack_ecache.h
nf_conntrack_expect.h netfilter: expect: add and use nf_ct_expect_iterate helpers 2017-07-31 19:09:38 +02:00
nf_conntrack_extend.h
nf_conntrack_helper.h
nf_conntrack_l3proto.h netfilter: conntrack: make protocol tracker pointers const 2017-08-24 18:52:33 +02:00
nf_conntrack_l4proto.h netfilter: remove unused hooknum arg from packet functions 2017-09-04 13:25:18 +02:00
nf_conntrack_labels.h
nf_conntrack_seqadj.h
nf_conntrack_synproxy.h
nf_conntrack_timeout.h netfilter: conntrack: make protocol tracker pointers const 2017-08-24 18:52:33 +02:00
nf_conntrack_timestamp.h
nf_conntrack_tuple.h
nf_conntrack_zones.h
nf_conntrack.h netfilter: nat: Revert "netfilter: nat: convert nat bysrc hash to rhashtable" 2017-09-08 18:55:50 +02:00
nf_dup_netdev.h
nf_log.h
nf_nat_core.h
nf_nat_helper.h
nf_nat_l3proto.h
nf_nat_l4proto.h
nf_nat_redirect.h
nf_nat.h netfilter: nat: Revert "netfilter: nat: convert nat bysrc hash to rhashtable" 2017-09-08 18:55:50 +02:00
nf_queue.h netfilter: convert hook list to an array 2017-08-28 17:44:00 +02:00
nf_socket.h
nf_tables_core.h netfilter: nf_tables: keep chain counters away from hot path 2017-07-24 12:23:16 +02:00
nf_tables_ipv4.h
nf_tables_ipv6.h
nf_tables.h netfilter: nf_tables: add select_ops for stateful objects 2017-09-04 13:25:09 +02:00
nfnetlink_log.h
nft_dup.h
nft_fib.h
nft_masq.h
nft_meta.h
nft_redir.h
nft_reject.h
xt_rateest.h