Received: by 10.223.164.202 with SMTP id h10csp3012984wrb; Fri, 24 Nov 2017 23:46:04 -0800 (PST) X-Google-Smtp-Source: AGs4zMZHqseLV4QzFZchVpVDquGEVB3VC0A5pDP8+ilanbBKTYBCLT/gO3gENR8fdjhR+cnkqFbZ X-Received: by 10.99.120.195 with SMTP id t186mr13255233pgc.62.1511595964328; Fri, 24 Nov 2017 23:46:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511595964; cv=none; d=google.com; s=arc-20160816; b=wZf/KigxmCvu9yt7yNyovwltCMSK2GyuFOvC5pfPgPcVgLUSGGvy9yYdaUqVfzNG9+ +4qx9A1qB6F9y7ddz044LEKs3Hi27Pl70Yfuz+JjVqu2x5FF+Gc3L705jVmHcenktOAr z6x5iWziOA70AlDAV7MvMFYP996zCCDLTmo3mH91SQhk9XTVk/2vxGmvFvaLiky8cKKp 8TrrKYgRL+SrgfiJhWJUvriFBUZP7jFtZYJKwaOpAvl5dznS0dadcIA0thoVrjIJmrOc tt3IQT3IFMy5/iKAdciWBl93NW0LntjXF778b/stVDUj0r0zZRLO5g81dgmNOFpYqZKh kp4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:arc-authentication-results; bh=1FoHb7O6JhIrcb7mfdnQ64a4x+UaV73LCNOv1hU0aBg=; b=f+6Qp26DWN3cS32HqaA0aMhMhGUzLji0T1MC88y28ZZ4ftQapt0CMGIRQpXw1CnW/B EybftRWdhybHijS2bwbJICY+Q5H4tJZiLLB96togVBR0V3Db45W/SmcwPK5Mw4dzbWOn 78IMMe1SGuW/EBaDi78UXl0GwVrae6OG8R+XisilaBcQ/t7SrfW/N6mYNaZcR30XQraK MdY0axQNYGN0ZDSVPKW75hvsnCmTQmol0n6jKPu3GJXo8NQeCKSzjhOhwTnQF8m3O515 yVtdmrqeBaF0xTTjJMw3Eq9KrM3jrzdQcu04CBluiyW+9IUNQDO1k2mMNPy0ZTS5mPl7 /aDw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c63si8979244pfj.389.2017.11.24.23.45.45; Fri, 24 Nov 2017 23:46:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750992AbdKYHow (ORCPT + 79 others); Sat, 25 Nov 2017 02:44:52 -0500 Received: from mail.aperture-lab.de ([138.201.29.205]:40798 "EHLO mail.aperture-lab.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750748AbdKYHou (ORCPT ); Sat, 25 Nov 2017 02:44:50 -0500 Received: from localhost (localhost [127.0.0.1]) by mail.aperture-lab.de (Postfix) with ESMTP id 99AE3E07A7; Sat, 25 Nov 2017 08:44:48 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aperture-lab.de Received: from mail.aperture-lab.de ([127.0.0.1]) by localhost (mail.aperture-lab.de [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id B_VpD7O_HQcf; Sat, 25 Nov 2017 08:44:46 +0100 (CET) Received: from localhost (unknown [IPv6:2001:67c:2d50:0:c85:8cff:fe0f:63fe]) (Authenticated sender: linus.luessing@c0d3.blue) by mail.aperture-lab.de (Postfix) with ESMTPSA; Sat, 25 Nov 2017 08:44:46 +0100 (CET) From: =?UTF-8?q?Linus=20L=C3=BCssing?= To: netfilter-devel@vger.kernel.org Cc: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , Stephen Hemminger , "David S . Miller" , coreteam@netfilter.org, bridge@lists.linux-foundation.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, =?UTF-8?q?Linus=20L=C3=BCssing?= Subject: [PATCH net-next] bridge: ebtables: Avoid resetting limit rule state Date: Sat, 25 Nov 2017 08:44:18 +0100 Message-Id: <20171125074418.16537-1-linus.luessing@c0d3.blue> X-Mailer: git-send-email 2.15.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org So far any changes with ebtables will reset the state of limit rules, leading to spikes in traffic. This is especially noticeable if changes are done frequently, for instance via a daemon. This patch fixes this by bailing out from (re)setting if the limit rule was initialized before. When sending packets every 250ms for 600s, with a "--limit 1/sec --limit-burst 50" rule and a command like this in the background: $ ebtables -N VOIDCHAIN $ while true; do ebtables -F VOIDCHAIN; sleep 30; done The results are: Before: ~1600 packets After: 650 packets Signed-off-by: Linus Lüssing --- net/bridge/netfilter/ebt_limit.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c index 61a9f1be1263..f74b48633feb 100644 --- a/net/bridge/netfilter/ebt_limit.c +++ b/net/bridge/netfilter/ebt_limit.c @@ -69,6 +69,10 @@ static int ebt_limit_mt_check(const struct xt_mtchk_param *par) { struct ebt_limit_info *info = par->matchinfo; + /* Do not reset state on unrelated table changes */ + if (info->prev) + return 0; + /* Check for overflow. */ if (info->burst == 0 || user2credits(info->avg * info->burst) < user2credits(info->avg)) { -- 2.11.0 From 1586166027263752858@xxx Thu Dec 07 22:30:01 +0000 2017 X-GM-THRID: 1586166027263752858 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread