diff options
| author | Thomas Haller <thaller@redhat.com> | 2023-05-10 07:44:52 +0200 |
|---|---|---|
| committer | Thomas Haller <thaller@redhat.com> | 2023-05-10 19:03:40 +0200 |
| commit | 2c716f04f9b75ed8df70314920a705b48c36c8eb (patch) | |
| tree | 6ab152f6b929a55dab330fc731c0d3c1e916b424 | |
| parent | 3c3938406dd825f6a0d9e6e55319f0f68a6e2f83 (diff) | |
| download | NetworkManager-2c716f04f9b75ed8df70314920a705b48c36c8eb.tar.gz | |
bond: don't configure "counter" on nft rules for slb-bonding/mlag
Counters are convenient for debugging, but have a performance overhead.
Configure them only when debug logging in NetworkManager is enabled.
| -rw-r--r-- | src/core/nm-bond-manager.c | 8 | ||||
| -rw-r--r-- | src/core/nm-firewall-utils.c | 43 | ||||
| -rw-r--r-- | src/core/nm-firewall-utils.h | 3 |
3 files changed, 34 insertions, 20 deletions
diff --git a/src/core/nm-bond-manager.c b/src/core/nm-bond-manager.c index 2d15b0b5a0..9985fccf11 100644 --- a/src/core/nm-bond-manager.c +++ b/src/core/nm-bond-manager.c @@ -438,6 +438,7 @@ _nft_call(NMBondManager *self, { gs_unref_bytes GBytes *stdin_buf = NULL; gs_free const char *const *previous_members_strv = NULL; + gboolean with_counters; if (up) { gs_unref_ptrarray GPtrArray *arr = NULL; @@ -480,11 +481,16 @@ _nft_call(NMBondManager *self, } } + /* counters in the nft rules are convenient for debugging, but have a performance overhead. + * Enable counters based on whether NM logging is enabled. */ + with_counters = _NMLOG_ENABLED(LOGL_TRACE); + stdin_buf = nm_firewall_nft_stdio_mlag(up, bond_ifname, bond_ifnames_down, active_members, - previous_members_strv); + previous_members_strv, + with_counters); nm_clear_g_cancellable(&self->cancellable); self->cancellable = g_cancellable_new(); diff --git a/src/core/nm-firewall-utils.c b/src/core/nm-firewall-utils.c index 03f1a9a5eb..ac12d3e432 100644 --- a/src/core/nm-firewall-utils.c +++ b/src/core/nm-firewall-utils.c @@ -763,13 +763,15 @@ nm_firewall_nft_stdio_mlag(gboolean up, const char *bond_ifname, const char *const *bond_ifnames_down, const char *const *active_members, - const char *const *previous_members) + const char *const *previous_members, + gboolean with_counters) { nm_auto_str_buf NMStrBuf strbuf_table_name = NM_STR_BUF_INIT_A(NM_UTILS_GET_NEXT_REALLOC_SIZE_32, FALSE); nm_auto_str_buf NMStrBuf strbuf = NM_STR_BUF_INIT(NM_UTILS_GET_NEXT_REALLOC_SIZE_1000, FALSE); const char *table_name; gsize i; + const char *const s_counter = with_counters ? " counter" : ""; if (NM_MORE_ASSERTS > 10 && active_members) { /* No duplicates. We make certain assumptions here, and we don't @@ -876,9 +878,10 @@ nm_firewall_nft_stdio_mlag(gboolean up, _append(&strbuf, "add rule netdev %s %s pkttype {" " broadcast, multicast " - "} counter drop", + "}%s drop", table_name, - chain_name); + chain_name, + s_counter); } /* OVS SLB rule 2 @@ -905,15 +908,17 @@ nm_firewall_nft_stdio_mlag(gboolean up, table_name, bond_ifname); _append(&strbuf, - "add rule netdev %s tx-snoop-source-mac set update ether saddr . vlan id" - " timeout 5s @macset-tagged counter return" + "add rule netdev %s tx-snoop-source-mac set update ether saddr . vlan id " + "timeout 5s @macset-tagged%s return" "", /* tagged */ - table_name); + table_name, + s_counter); _append(&strbuf, - "add rule netdev %s tx-snoop-source-mac set update ether saddr" - " timeout 5s @macset-untagged counter" + "add rule netdev %s tx-snoop-source-mac set update ether saddr timeout 5s " + "@macset-untagged%s" "", /* untagged*/ - table_name); + table_name, + s_counter); _append(&strbuf, "add chain netdev %s rx-drop-looped-packets {" @@ -921,18 +926,20 @@ nm_firewall_nft_stdio_mlag(gboolean up, "}", table_name, bond_ifname); + _append( + &strbuf, + "add rule netdev %s rx-drop-looped-packets ether saddr . vlan id @macset-tagged%s drop", + table_name, + s_counter); _append(&strbuf, - "add rule netdev %s rx-drop-looped-packets ether saddr . vlan id" - " @macset-tagged counter drop", - table_name); - _append(&strbuf, - "add rule netdev %s rx-drop-looped-packets ether type vlan counter return" + "add rule netdev %s rx-drop-looped-packets ether type vlan%s return" "", /* avoid looking up tagged packets in untagged table */ - table_name); + table_name, + s_counter); _append(&strbuf, - "add rule netdev %s rx-drop-looped-packets ether saddr @macset-untagged" - " counter drop", - table_name); + "add rule netdev %s rx-drop-looped-packets ether saddr @macset-untagged%s drop", + table_name, + s_counter); } out: diff --git a/src/core/nm-firewall-utils.h b/src/core/nm-firewall-utils.h index ca138ccf78..9f13a5127e 100644 --- a/src/core/nm-firewall-utils.h +++ b/src/core/nm-firewall-utils.h @@ -39,6 +39,7 @@ GBytes *nm_firewall_nft_stdio_mlag(gboolean up, const char *bond_ifname, const char *const *bond_ifnames_down, const char *const *active_members, - const char *const *previous_members); + const char *const *previous_members, + gboolean with_counters); #endif /* __NM_FIREWALL_UTILS_H__ */ |