colin/NetworkManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bond: don't configure "counter" on nft rules for slb-bonding/mlag

Browse Source 
Counters are convenient for debugging, but have a performance overhead.
Configure them only when debug logging in NetworkManager is enabled.
This commit is contained in:
Thomas Haller
2023-05-10 07:44:52 +02:00
parent 3c3938406d
commit 2c716f04f9
3 changed files with 34 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/core/nm-bond-manager.c
View File

@@ -438,6 +438,7 @@ _nft_call(NMBondManager *self,
{
gs_unref_bytes GBytes *stdin_buf = NULL;
gs_free const char *const *previous_members_strv = NULL;
gboolean with_counters;
if (up) {
gs_unref_ptrarray GPtrArray *arr = NULL;
@@ -480,11 +481,16 @@ _nft_call(NMBondManager *self,
}
}
/* counters in the nft rules are convenient for debugging, but have a performance overhead.
* Enable counters based on whether NM logging is enabled. */
with_counters = _NMLOG_ENABLED(LOGL_TRACE);
stdin_buf = nm_firewall_nft_stdio_mlag(up,
bond_ifname,
bond_ifnames_down,
active_members,
previous_members_strv);
previous_members_strv,
with_counters);
nm_clear_g_cancellable(&self->cancellable);
self->cancellable = g_cancellable_new();

41
src/core/nm-firewall-utils.c
View File

@@ -763,13 +763,15 @@ nm_firewall_nft_stdio_mlag(gboolean up,
const char *bond_ifname,
const char *const *bond_ifnames_down,
const char *const *active_members,
const char *const *previous_members)
const char *const *previous_members,
gboolean with_counters)
{
nm_auto_str_buf NMStrBuf strbuf_table_name =
NM_STR_BUF_INIT_A(NM_UTILS_GET_NEXT_REALLOC_SIZE_32, FALSE);
nm_auto_str_buf NMStrBuf strbuf = NM_STR_BUF_INIT(NM_UTILS_GET_NEXT_REALLOC_SIZE_1000, FALSE);
const char *table_name;
gsize i;
const char *const s_counter = with_counters ? " counter" : "";
if (NM_MORE_ASSERTS > 10 && active_members) {
/* No duplicates. We make certain assumptions here, and we don't
@@ -876,9 +878,10 @@ nm_firewall_nft_stdio_mlag(gboolean up,
_append(&strbuf,
"add rule netdev %s %s pkttype {"
" broadcast, multicast "
"} counter drop",
"}%s drop",
table_name,
chain_name);
chain_name,
s_counter);
}
/* OVS SLB rule 2
@@ -906,14 +909,16 @@ nm_firewall_nft_stdio_mlag(gboolean up,
bond_ifname);
_append(&strbuf,
"add rule netdev %s tx-snoop-source-mac set update ether saddr . vlan id "
" timeout 5s @macset-tagged counter return"
"timeout 5s @macset-tagged%s return"
"", /* tagged */
table_name);
table_name,
s_counter);
_append(&strbuf,
"add rule netdev %s tx-snoop-source-mac set update ether saddr"
" timeout 5s @macset-untagged counter"
"add rule netdev %s tx-snoop-source-mac set update ether saddr timeout 5s "
"@macset-untagged%s"
"", /* untagged*/
table_name);
table_name,
s_counter);
_append(&strbuf,
"add chain netdev %s rx-drop-looped-packets {"
@@ -921,18 +926,20 @@ nm_firewall_nft_stdio_mlag(gboolean up,
"}",
table_name,
bond_ifname);
_append(
&strbuf,
"add rule netdev %s rx-drop-looped-packets ether saddr . vlan id @macset-tagged%s drop",
table_name,
s_counter);
_append(&strbuf,
"add rule netdev %s rx-drop-looped-packets ether saddr . vlan id"
" @macset-tagged counter drop",
table_name);
_append(&strbuf,
"add rule netdev %s rx-drop-looped-packets ether type vlan counter return"
"add rule netdev %s rx-drop-looped-packets ether type vlan%s return"
"", /* avoid looking up tagged packets in untagged table */
table_name);
table_name,
s_counter);
_append(&strbuf,
"add rule netdev %s rx-drop-looped-packets ether saddr @macset-untagged"
" counter drop",
table_name);
"add rule netdev %s rx-drop-looped-packets ether saddr @macset-untagged%s drop",
table_name,
s_counter);
}
out:

3
src/core/nm-firewall-utils.h
View File

@@ -39,6 +39,7 @@ GBytes *nm_firewall_nft_stdio_mlag(gboolean up,
const char *bond_ifname,
const char *const *bond_ifnames_down,
const char *const *active_members,
const char *const *previous_members);
const char *const *previous_members,
gboolean with_counters);
#endif /* __NM_FIREWALL_UTILS_H__ */