Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp3353930pxb;
        Mon, 4 Apr 2022 14:26:20 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyoIitgUU7rLs6bptpr65ed5Aze+eVbgia1CieGFu4XdNjCP06y7AZYgJBBFlG8Cv/kJTJy
X-Received: by 2002:a63:7d6:0:b0:399:5aec:2a73 with SMTP id 205-20020a6307d6000000b003995aec2a73mr108363pgh.245.1649107580315;
        Mon, 04 Apr 2022 14:26:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649107580; cv=none;
        d=google.com; s=arc-20160816;
        b=NaY5h6wdao2J18uGxlcwv+HxOGg1T+DEaKivAZQkMdNYWTzv5VpHJFuolvdKje/gAj
         9rEkV0ml7GwV93eWc9JxMXro0MftFDtr12sAyf4Qd7Dzc0BA4cR9hqvY9Us1jR2e428x
         mMtwt9qG82kj2bxkN7RFlC25coOsoRjAetYIZ+k9MMrU6FV6ODNscGW19Lb4cNfqjdYe
         X4OKMqvaKDtfLVsVCrGyvRRSFvn/O7sFiWAuz7Coq7IdwQsuboNwZnawYWBNtkIOIi6z
         30wi9lOjE+/enTPs5sZjiIiSvTMTBejd+ZX3ajbShg/WRKHp1WBl97TyGGtHrjlsGaJI
         J0tw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=I3pQ0Npq9RBjTJ9NZRmXcwVoyoNaan//lMFe4kwGjIw=;
        b=rgwyXLuILQ0XDEPnZUq3LfpL123uQN1p3WnDT5l2WgM1NO1XXqIdc6b667+OMnqOtH
         fpFNSEIqRvYjYii6D2L/W72iqwWsBrzLoGmlC8DP5hCUb6MGE60aYsTPK6417DP9yzl5
         0zEjm9TOho1Otcqzu5LqUGpuMaYBrMjsb+j8DmKv0s8eQNvLE69bnNfobRR2gc70jDGT
         AczVZ7EkYlPfGgncIywnO6Fzy0uylZ4ZPXxYvOVbxM0LMOcTqmWvAqUK9Col5mqXfxGi
         aaGVSKEXviRT9lK26vdxIflTHbrZoKILQo7nq6/00hdZ4PXe1bxuksKwvPsBr7tLIQBR
         JCgw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id t11-20020a170902b20b00b00153c0334fd4si9945121plr.559.2022.04.04.14.26.06;
        Mon, 04 Apr 2022 14:26:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1351656AbiDATdx (ORCPT <rfc822;arunks.linux@gmail.com>
        + 99 others); Fri, 1 Apr 2022 15:33:53 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52654 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233893AbiDATdw (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 1 Apr 2022 15:33:52 -0400
Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [IPv6:2a0a:51c0:0:12e:520::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D9E63176654;
        Fri,  1 Apr 2022 12:32:02 -0700 (PDT)
Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92)
        (envelope-from <fw@strlen.de>)
        id 1naN03-0001hH-O7; Fri, 01 Apr 2022 21:31:59 +0200
Date:   Fri, 1 Apr 2022 21:31:59 +0200
From:   Florian Westphal <fw@strlen.de>
To:     Vasily Averin <vasily.averin@linux.dev>
Cc:     Florian Westphal <fw@strlen.de>,
        Pablo Neira Ayuso <pablo@netfilter.org>, kernel@openvz.org,
        Jozsef Kadlecsik <kadlec@netfilter.org>,
        netfilter-devel@vger.kernel.org, linux-kernel@vger.kernel.org,
        Roman Gushchin <roman.gushchin@linux.dev>
Subject: Re: [PATCH nft] nft: memcg accounting for dynamically allocated
 objects
Message-ID: <20220401193159.GB28321@breakpoint.cc>
References: <bf4b8fe3-6dd6-4f3a-12f4-1b5bf2e45783@linux.dev>
 <e730480d-9396-6486-ab98-67ecb683e819@linux.dev>
 <20220401120342.GC9545@breakpoint.cc>
 <7bfa2e2e-b22d-7561-661b-41ef7714caf5@linux.dev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <7bfa2e2e-b22d-7561-661b-41ef7714caf5@linux.dev>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
        SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Vasily Averin <vasily.averin@linux.dev> wrote:
> > Same problem as connlimit, can be called from packet path.
> > Basically all GFP_ATOMIC are suspicious.
> > 
> > Not sure how to resolve this, similar mechanics in iptables world (e.g.
> > connlimit or SET target) don't use memcg accounting.
> > 
> > Perhaps for now resend with only the GFP_KERNEL parts converted?
> > Those are safe.
> 
> It is safe for packet path too, _ACCOUNT allocation will not be able to find memcg
> in case of "!in_task()" context.
> On the other hand any additional checks on such path will affect performance.

I'm not sure this works with ksoftirqd serving network stack?

> Could you please estimate how often is this code used in the case of nft vs packet path?

It depends on user configuration.
Update from packet path is used for things like port knocking or other
dyanamic filter lists, or somehing like Limiting connections to x-per-address/subnet and so on.

> If the opposite is the case, then I can add __GFP_ACCOUNT flag depending on in_task() check.

But what task/memcg is used for the accounting in that case?