Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp3353930pxb; Mon, 4 Apr 2022 14:26:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyoIitgUU7rLs6bptpr65ed5Aze+eVbgia1CieGFu4XdNjCP06y7AZYgJBBFlG8Cv/kJTJy X-Received: by 2002:a63:7d6:0:b0:399:5aec:2a73 with SMTP id 205-20020a6307d6000000b003995aec2a73mr108363pgh.245.1649107580315; Mon, 04 Apr 2022 14:26:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649107580; cv=none; d=google.com; s=arc-20160816; b=NaY5h6wdao2J18uGxlcwv+HxOGg1T+DEaKivAZQkMdNYWTzv5VpHJFuolvdKje/gAj 9rEkV0ml7GwV93eWc9JxMXro0MftFDtr12sAyf4Qd7Dzc0BA4cR9hqvY9Us1jR2e428x mMtwt9qG82kj2bxkN7RFlC25coOsoRjAetYIZ+k9MMrU6FV6ODNscGW19Lb4cNfqjdYe X4OKMqvaKDtfLVsVCrGyvRRSFvn/O7sFiWAuz7Coq7IdwQsuboNwZnawYWBNtkIOIi6z 30wi9lOjE+/enTPs5sZjiIiSvTMTBejd+ZX3ajbShg/WRKHp1WBl97TyGGtHrjlsGaJI J0tw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=I3pQ0Npq9RBjTJ9NZRmXcwVoyoNaan//lMFe4kwGjIw=; b=rgwyXLuILQ0XDEPnZUq3LfpL123uQN1p3WnDT5l2WgM1NO1XXqIdc6b667+OMnqOtH fpFNSEIqRvYjYii6D2L/W72iqwWsBrzLoGmlC8DP5hCUb6MGE60aYsTPK6417DP9yzl5 0zEjm9TOho1Otcqzu5LqUGpuMaYBrMjsb+j8DmKv0s8eQNvLE69bnNfobRR2gc70jDGT AczVZ7EkYlPfGgncIywnO6Fzy0uylZ4ZPXxYvOVbxM0LMOcTqmWvAqUK9Col5mqXfxGi aaGVSKEXviRT9lK26vdxIflTHbrZoKILQo7nq6/00hdZ4PXe1bxuksKwvPsBr7tLIQBR JCgw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t11-20020a170902b20b00b00153c0334fd4si9945121plr.559.2022.04.04.14.26.06; Mon, 04 Apr 2022 14:26:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351656AbiDATdx (ORCPT + 99 others); Fri, 1 Apr 2022 15:33:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52654 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233893AbiDATdw (ORCPT ); Fri, 1 Apr 2022 15:33:52 -0400 Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [IPv6:2a0a:51c0:0:12e:520::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D9E63176654; Fri, 1 Apr 2022 12:32:02 -0700 (PDT) Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1naN03-0001hH-O7; Fri, 01 Apr 2022 21:31:59 +0200 Date: Fri, 1 Apr 2022 21:31:59 +0200 From: Florian Westphal To: Vasily Averin Cc: Florian Westphal , Pablo Neira Ayuso , kernel@openvz.org, Jozsef Kadlecsik , netfilter-devel@vger.kernel.org, linux-kernel@vger.kernel.org, Roman Gushchin Subject: Re: [PATCH nft] nft: memcg accounting for dynamically allocated objects Message-ID: <20220401193159.GB28321@breakpoint.cc> References: <20220401120342.GC9545@breakpoint.cc> <7bfa2e2e-b22d-7561-661b-41ef7714caf5@linux.dev> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7bfa2e2e-b22d-7561-661b-41ef7714caf5@linux.dev> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Vasily Averin wrote: > > Same problem as connlimit, can be called from packet path. > > Basically all GFP_ATOMIC are suspicious. > > > > Not sure how to resolve this, similar mechanics in iptables world (e.g. > > connlimit or SET target) don't use memcg accounting. > > > > Perhaps for now resend with only the GFP_KERNEL parts converted? > > Those are safe. > > It is safe for packet path too, _ACCOUNT allocation will not be able to find memcg > in case of "!in_task()" context. > On the other hand any additional checks on such path will affect performance. I'm not sure this works with ksoftirqd serving network stack? > Could you please estimate how often is this code used in the case of nft vs packet path? It depends on user configuration. Update from packet path is used for things like port knocking or other dyanamic filter lists, or somehing like Limiting connections to x-per-address/subnet and so on. > If the opposite is the case, then I can add __GFP_ACCOUNT flag depending on in_task() check. But what task/memcg is used for the accounting in that case?