LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
To: Jeff Chua <jeff.chua.linux@gmail.com>
Cc: Patrick McHardy <kaber@trash.net>,
	lkml <linux-kernel@vger.kernel.org>,
	Krzysztof Piotr Oledzki <ole@ans.pl>,
	"David S. Miller" <davem@davemloft.net>,
	cups-bugs <cups-bugs@easysw.com>,
	Netfilter Development Mailinglist 
	<netfilter-devel@vger.kernel.org>
Subject: Re: cups slow on linux-2.6.24
Date: Mon, 4 Feb 2008 21:17:31 +0100 (CET)	[thread overview]
Message-ID: <Pine.LNX.4.64.0802042109230.31268@blackhole.kfki.hu> (raw)
In-Reply-To: <Pine.LNX.4.64.0802042226340.28805@boston.corp.fedex.com>

Hi,

On Mon, 4 Feb 2008, Jeff Chua wrote:

> > Attached are the dump files mentioned.
> 
> Not sure whether the attached files got uploaded. So, I'm sending this one
> more time.

I could reproduce the slow-down by a loop of socat commands. The dump you 
sent looks exactly like the traces I got at dumping the traffic generated by 
socat and that is good.

Actively closed connections are not handled properly, i.e. the initiator 
of the active close should not be taken into account. So could you give a 
try to the patch below? Does it just suppress the 'invalid packed ignored' 
and all other kernel messages or both suppresses them and produces normal 
printing speed?

commit 2067ab64ef876efaa0f4dd8fe73f48f50e215369
Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date:   Sun Feb 3 17:14:22 2008 +0100

    Handle active close for both sides, it is not restricted
    to one side alone.

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 7a3f64c..8c7efe2 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -135,7 +135,7 @@ enum tcp_bit_set {
  * CLOSE_WAIT:	ACK seen (after FIN)
  * LAST_ACK:	FIN seen (after FIN)
  * TIME_WAIT:	last ACK seen
- * CLOSE:	closed connection
+ * CLOSE:	closed connection (RST)
  *
  * LISTEN state is not used.
  *
@@ -834,8 +834,21 @@ static int tcp_packet(struct nf_conn *conntrack,
 	case TCP_CONNTRACK_SYN_SENT:
 		if (old_state < TCP_CONNTRACK_TIME_WAIT)
 			break;
-		if ((conntrack->proto.tcp.seen[!dir].flags &
-			IP_CT_TCP_FLAG_CLOSE_INIT)
+		/* RFC 1122: "When a connection is closed actively,
+		 * it MUST linger in TIME-WAIT state for a time 2xMSL
+		 * (Maximum Segment Lifetime). However, it MAY accept
+		 * a new SYN from the remote TCP to reopen the connection
+		 * directly from TIME-WAIT state, if..."
+		 * We ignore the conditions because we are in the
+		 * TIME-WAIT state anyway.
+		 *
+		 * Handle aborted connections: we and the server
+		 * think there is an existing connection but the client
+		 * aborts it and starts a new one.
+		 */
+		if (((conntrack->proto.tcp.seen[dir].flags
+		      | conntrack->proto.tcp.seen[!dir].flags)
+		     & IP_CT_TCP_FLAG_CLOSE_INIT)
 		    || (conntrack->proto.tcp.last_dir == dir
 		        && conntrack->proto.tcp.last_index == TCP_RST_SET)) {
 			/* Attempt to reopen a closed/aborted connection.
@@ -848,18 +861,25 @@ static int tcp_packet(struct nf_conn *conntrack,
 		}
 		/* Fall through */
 	case TCP_CONNTRACK_IGNORE:
-		/* Ignored packets:
+		/* Ignored packets: 
+		 *
+		 * Our connection entry may be out of sync, so ignore
+		 * packets which may signal the real connection between
+		 * the client and the server.
 		 *
 		 * a) SYN in ORIGINAL
 		 * b) SYN/ACK in REPLY
 		 * c) ACK in reply direction after initial SYN in original.
+		 *
+		 * If the ignored packet is invalid, the receiver will send 
+		 * a RST we'll catch below.
 		 */
 		if (index == TCP_SYNACK_SET
 		    && conntrack->proto.tcp.last_index == TCP_SYN_SET
 		    && conntrack->proto.tcp.last_dir != dir
 		    && ntohl(th->ack_seq) ==
 			     conntrack->proto.tcp.last_end) {
-			/* This SYN/ACK acknowledges a SYN that we earlier
+			/* b) This SYN/ACK acknowledges a SYN that we earlier
 			 * ignored as invalid. This means that the client and
 			 * the server are both in sync, while the firewall is
 			 * not. We kill this session and block the SYN/ACK so
@@ -938,8 +958,7 @@ static int tcp_packet(struct nf_conn *conntrack,
 
 	conntrack->proto.tcp.state = new_state;
 	if (old_state != new_state
-	    && (new_state == TCP_CONNTRACK_FIN_WAIT
-		|| new_state == TCP_CONNTRACK_CLOSE))
+	    && new_state == TCP_CONNTRACK_FIN_WAIT)
 		conntrack->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
 	timeout = conntrack->proto.tcp.retrans >= nf_ct_tcp_max_retrans
 		  && *tcp_timeouts[new_state] > nf_ct_tcp_timeout_max_retrans

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

       reply	other threads:[~2008-02-04 20:17 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <Pine.LNX.4.64.0802042226340.28805@boston.corp.fedex.com>
2008-02-04 20:17 ` Jozsef Kadlecsik [this message]
2008-02-10 15:06 Jeff Chua
2008-02-14 15:02 ` Jozsef Kadlecsik
2008-02-14 22:50   ` David Miller
2008-02-15  1:44     ` Patrick McHardy
  -- strict thread matches above, loose matches on Subject: below --
2008-02-05  1:17 Jeff Chua
2008-02-05  8:16 ` Jozsef Kadlecsik
2008-02-05 13:47   ` Patrick McHardy
2008-01-28 22:41 Jeff Chua
2008-01-28 22:56 ` Krzysztof Oledzki
2008-01-28 23:55   ` Jeff Chua
2008-01-29 10:53 ` Jozsef Kadlecsik
     [not found]   ` <b6a2187b0801291924k15f883aeg54f704156e4f2e3e@mail.gmail.com>
2008-01-30 13:47     ` Patrick McHardy
2008-01-31  2:23       ` Jeff Chua
     [not found]         ` <b6a2187b0801301826l5a50ce84p7d5dce3d0a74b3c0@mail.gmail.com>
2008-01-31  2:41           ` Patrick McHardy
2008-01-31  3:21             ` Jeff Chua
2008-01-31  3:25               ` Patrick McHardy
2008-01-31  5:01                 ` Jeff Chua
2008-01-31 10:40                   ` Jozsef Kadlecsik
2008-01-31 18:53                     ` Patrick McHardy
2008-02-01  0:47                       ` David Newall
2008-02-01  2:12                         ` David Miller
2008-02-01  6:07                           ` David Newall
2008-02-01  6:10                             ` Patrick McHardy
2008-02-01  5:28                     ` Jeff Chua
2008-02-02 14:44                       ` Jozsef Kadlecsik
2008-02-03 16:08                         ` Jeff Chua
2008-01-27 23:18 Jeff Chua

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Pine.LNX.4.64.0802042109230.31268@blackhole.kfki.hu \
    --to=kadlec@blackhole.kfki.hu \
    --cc=cups-bugs@easysw.com \
    --cc=davem@davemloft.net \
    --cc=jeff.chua.linux@gmail.com \
    --cc=kaber@trash.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=ole@ans.pl \
    --subject='Re: cups slow on linux-2.6.24' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).