colin/NetworkManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bond: don't configure "counter" on nft rules for slb-bonding/mlag

Browse Source 
Counters are convenient for debugging, but have a performance overhead.
Configure them only when debug logging in NetworkManager is enabled.
This commit is contained in:
Thomas Haller
2023-05-10 07:44:52 +02:00
parent 3c3938406d
commit 2c716f04f9
3 changed files with 34 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/core/nm-bond-manager.c
View File

@@ -438,6 +438,7 @@ _nft_call(NMBondManager *self,
{ {
gs_unref_bytes GBytes *stdin_buf = NULL; gs_unref_bytes GBytes *stdin_buf = NULL;
gs_free const char *const *previous_members_strv = NULL; gs_free const char *const *previous_members_strv = NULL;
gboolean with_counters;
if (up) { if (up) {
gs_unref_ptrarray GPtrArray *arr = NULL; gs_unref_ptrarray GPtrArray *arr = NULL;
@@ -480,11 +481,16 @@ _nft_call(NMBondManager *self,
} }
} }
/* counters in the nft rules are convenient for debugging, but have a performance overhead.
* Enable counters based on whether NM logging is enabled. */
with_counters = _NMLOG_ENABLED(LOGL_TRACE);
stdin_buf = nm_firewall_nft_stdio_mlag(up, stdin_buf = nm_firewall_nft_stdio_mlag(up,
bond_ifname, bond_ifname,
bond_ifnames_down, bond_ifnames_down,
active_members, active_members,
previous_members_strv); previous_members_strv,
with_counters);
nm_clear_g_cancellable(&self->cancellable); nm_clear_g_cancellable(&self->cancellable);
self->cancellable = g_cancellable_new(); self->cancellable = g_cancellable_new();

43
src/core/nm-firewall-utils.c
View File

@@ -763,13 +763,15 @@ nm_firewall_nft_stdio_mlag(gboolean up,
const char *bond_ifname, const char *bond_ifname,
const char *const *bond_ifnames_down, const char *const *bond_ifnames_down,
const char *const *active_members, const char *const *active_members,
const char *const *previous_members) const char *const *previous_members,
gboolean with_counters)
{ {
nm_auto_str_buf NMStrBuf strbuf_table_name = nm_auto_str_buf NMStrBuf strbuf_table_name =
NM_STR_BUF_INIT_A(NM_UTILS_GET_NEXT_REALLOC_SIZE_32, FALSE); NM_STR_BUF_INIT_A(NM_UTILS_GET_NEXT_REALLOC_SIZE_32, FALSE);
nm_auto_str_buf NMStrBuf strbuf = NM_STR_BUF_INIT(NM_UTILS_GET_NEXT_REALLOC_SIZE_1000, FALSE); nm_auto_str_buf NMStrBuf strbuf = NM_STR_BUF_INIT(NM_UTILS_GET_NEXT_REALLOC_SIZE_1000, FALSE);
const char *table_name; const char *table_name;
gsize i; gsize i;
const char *const s_counter = with_counters ? " counter" : "";
if (NM_MORE_ASSERTS > 10 && active_members) { if (NM_MORE_ASSERTS > 10 && active_members) {
/* No duplicates. We make certain assumptions here, and we don't /* No duplicates. We make certain assumptions here, and we don't
@@ -876,9 +878,10 @@ nm_firewall_nft_stdio_mlag(gboolean up,
_append(&strbuf, _append(&strbuf,
"add rule netdev %s %s pkttype {" "add rule netdev %s %s pkttype {"
" broadcast, multicast " " broadcast, multicast "
"} counter drop", "}%s drop",
table_name, table_name,
chain_name); chain_name,
s_counter);
} }
/* OVS SLB rule 2 /* OVS SLB rule 2
@@ -905,15 +908,17 @@ nm_firewall_nft_stdio_mlag(gboolean up,
table_name, table_name,
bond_ifname); bond_ifname);
_append(&strbuf, _append(&strbuf,
"add rule netdev %s tx-snoop-source-mac set update ether saddr . vlan id" "add rule netdev %s tx-snoop-source-mac set update ether saddr . vlan id "
" timeout 5s @macset-tagged counter return" "timeout 5s @macset-tagged%s return"
"", /* tagged */ "", /* tagged */
table_name); table_name,
s_counter);
_append(&strbuf, _append(&strbuf,
"add rule netdev %s tx-snoop-source-mac set update ether saddr" "add rule netdev %s tx-snoop-source-mac set update ether saddr timeout 5s "
" timeout 5s @macset-untagged counter" "@macset-untagged%s"
"", /* untagged*/ "", /* untagged*/
table_name); table_name,
s_counter);
_append(&strbuf, _append(&strbuf,
"add chain netdev %s rx-drop-looped-packets {" "add chain netdev %s rx-drop-looped-packets {"
@@ -921,18 +926,20 @@ nm_firewall_nft_stdio_mlag(gboolean up,
"}", "}",
table_name, table_name,
bond_ifname); bond_ifname);
_append(
&strbuf,
"add rule netdev %s rx-drop-looped-packets ether saddr . vlan id @macset-tagged%s drop",
table_name,
s_counter);
_append(&strbuf, _append(&strbuf,
"add rule netdev %s rx-drop-looped-packets ether saddr . vlan id" "add rule netdev %s rx-drop-looped-packets ether type vlan%s return"
" @macset-tagged counter drop",
table_name);
_append(&strbuf,
"add rule netdev %s rx-drop-looped-packets ether type vlan counter return"
"", /* avoid looking up tagged packets in untagged table */ "", /* avoid looking up tagged packets in untagged table */
table_name); table_name,
s_counter);
_append(&strbuf, _append(&strbuf,
"add rule netdev %s rx-drop-looped-packets ether saddr @macset-untagged" "add rule netdev %s rx-drop-looped-packets ether saddr @macset-untagged%s drop",
" counter drop", table_name,
table_name); s_counter);
} }
out: out:

3
src/core/nm-firewall-utils.h
View File

@@ -39,6 +39,7 @@ GBytes *nm_firewall_nft_stdio_mlag(gboolean up,
const char *bond_ifname, const char *bond_ifname,
const char *const *bond_ifnames_down, const char *const *bond_ifnames_down,
const char *const *active_members, const char *const *active_members,
const char *const *previous_members); const char *const *previous_members,
gboolean with_counters);
#endif /* __NM_FIREWALL_UTILS_H__ */ #endif /* __NM_FIREWALL_UTILS_H__ */