modify session manager related configuration

2024-08-29 16:25:15 +08:00
parent 419d12760e
commit 338dcf93e5
31 changed files with 928 additions and 1093 deletions
--- a/infra/session_manager/session_manager.c
+++ b/infra/session_manager/session_manager.c
@@ -1,8 +1,10 @@
 #include <time.h>
 #include <stdlib.h>
 #include <assert.h>
+#include <errno.h>

 #include "utils.h"
+#include "toml.h"
 #include "log_private.h"
 #include "packet_helper.h"
 #include "packet_filter.h"
@@ -16,6 +18,7 @@

 #define SESSION_LOG_ERROR(format, ...) STELLAR_LOG_ERROR(__thread_local_logger, "session", format, ##__VA_ARGS__)
 #define SESSION_LOG_DEBUG(format, ...) STELLAR_LOG_DEBUG(__thread_local_logger, "session", format, ##__VA_ARGS__)
+#define SESSION_LOG_INFO(format, ...) STELLAR_LOG_INFO(__thread_local_logger, "session", format, ##__VA_ARGS__)

 struct session_manager
 {
@@ -29,20 +32,21 @@ struct session_manager
     struct session_filter *evicte_sess_filter;

     struct session_manager_stat stat;
-     struct session_manager_options opts;
+     struct session_manager_config cfg;

     /*
      * only used for session_set_discard() or session_manager record_duplicated_packet(),
      * because the function is called by pluin and has no time input.
      */
     uint64_t now_ms;
+     uint64_t last_clean_expired_sess_ts;
     session_id_generate_fn id_generator;
 };

 #define EVICTE_SESSION_BURST (RX_BURST_MAX)

 /******************************************************************************
- * Session Manager Stat
+ * session manager stat macro
 ******************************************************************************/

 #define SESS_MGR_STAT_INC(stat, state, proto)  \
@@ -103,136 +107,7 @@ struct session_manager
     }

 /******************************************************************************
- * Session Manager Options
- ******************************************************************************/
-
-static int check_options(const struct session_manager_options *opts)
-{
-     if (opts == NULL)
-     {
-          SESSION_LOG_ERROR("invalid options");
-          return -1;
-     }
-
-     // max session number
-     if (opts->max_tcp_session_num < EVICTE_SESSION_BURST * 2)
-     {
-          SESSION_LOG_ERROR("invalid max_tcp_session_num: %lu, supported range: [%u, %lu]", opts->max_tcp_session_num, EVICTE_SESSION_BURST * 2, UINT64_MAX);
-          return -1;
-     }
-     if (opts->max_udp_session_num < EVICTE_SESSION_BURST * 2)
-     {
-          SESSION_LOG_ERROR("invalid max_udp_session_num: %lu, supported range: [%u, %lu]", opts->max_udp_session_num, EVICTE_SESSION_BURST * 2, UINT64_MAX);
-          return -1;
-     }
-
-     // session overload (skip)
-
-     // TCP timeout
-     if (opts->tcp_init_timeout < 1 || opts->tcp_init_timeout > 60000)
-     {
-          SESSION_LOG_ERROR("invalid tcp_init_timeout: %lu, supported range: [1, 60000]", opts->tcp_init_timeout);
-          return -1;
-     }
-     if (opts->tcp_handshake_timeout < 1 || opts->tcp_handshake_timeout > 60000)
-     {
-          SESSION_LOG_ERROR("invalid tcp_handshake_timeout: %lu, supported range: [1, 60000]", opts->tcp_handshake_timeout);
-          return -1;
-     }
-     if (opts->tcp_data_timeout < 1 || opts->tcp_data_timeout > 15999999000)
-     {
-          SESSION_LOG_ERROR("invalid tcp_data_timeout: %lu, supported range: [1, 15999999000]", opts->tcp_data_timeout);
-          return -1;
-     }
-     if (opts->tcp_half_closed_timeout < 1 || opts->tcp_half_closed_timeout > 604800000)
-     {
-          SESSION_LOG_ERROR("invalid tcp_half_closed_timeout: %lu, supported range: [1, 604800000]", opts->tcp_half_closed_timeout);
-          return -1;
-     }
-     if (opts->tcp_time_wait_timeout < 1 || opts->tcp_time_wait_timeout > 600000)
-     {
-          SESSION_LOG_ERROR("invalid tcp_time_wait_timeout: %lu, supported range: [1, 600000]", opts->tcp_time_wait_timeout);
-          return -1;
-     }
-     if (opts->tcp_discard_timeout < 1 || opts->tcp_discard_timeout > 15999999000)
-     {
-          SESSION_LOG_ERROR("invalid tcp_discard_timeout: %lu, supported range: [1, 15999999000]", opts->tcp_discard_timeout);
-          return -1;
-     }
-     if (opts->tcp_unverified_rst_timeout < 1 || opts->tcp_unverified_rst_timeout > 600000)
-     {
-          SESSION_LOG_ERROR("invalid tcp_unverified_rst_timeout: %lu, supported range: [1, 600000]", opts->tcp_unverified_rst_timeout);
-          return -1;
-     }
-     // UDP timeout
-     if (opts->udp_data_timeout < 1 || opts->udp_data_timeout > 15999999000)
-     {
-          SESSION_LOG_ERROR("invalid udp_data_timeout: %lu, supported range: [1, 15999999000]", opts->udp_data_timeout);
-          return -1;
-     }
-
-     // duplicate packet filter
-     if (opts->duplicated_packet_filter_enable)
-     {
-          if (opts->duplicated_packet_filter_capacity == 0)
-          {
-               // UINT32_MAX = 4294967295
-               SESSION_LOG_ERROR("invalid duplicated_packet_filter_capacity: %u, supported range: [1, 4294967295]", opts->duplicated_packet_filter_capacity);
-               return -1;
-          }
-          if (opts->duplicated_packet_filter_timeout < 1 || opts->duplicated_packet_filter_timeout > 60000)
-          {
-               SESSION_LOG_ERROR("invalid duplicated_packet_filter_timeout: %u, supported range: [1, 60000]", opts->duplicated_packet_filter_timeout);
-               return -1;
-          }
-          if (opts->duplicated_packet_filter_error_rate < 0.0 || opts->duplicated_packet_filter_error_rate > 1.0)
-          {
-               SESSION_LOG_ERROR("invalid duplicated_packet_filter_error_rate: %f, supported range: [0.0, 1.0]", opts->duplicated_packet_filter_error_rate);
-               return -1;
-          }
-     }
-
-     // evicted session filter
-     if (opts->evicted_session_filter_enable)
-     {
-          if (opts->evicted_session_filter_capacity == 0)
-          {
-               // UINT32_MAX = 4294967295
-               SESSION_LOG_ERROR("invalid evicted_session_filter_capacity: %u, supported range: [1, 4294967295]", opts->evicted_session_filter_capacity);
-               return -1;
-          }
-          if (opts->evicted_session_filter_timeout < 1 || opts->evicted_session_filter_timeout > 60000)
-          {
-               SESSION_LOG_ERROR("invalid evicted_session_filter_timeout: %u, supported range: [1, 60000]", opts->evicted_session_filter_timeout);
-               return -1;
-          }
-          if (opts->evicted_session_filter_error_rate < 0.0 || opts->evicted_session_filter_error_rate > 1.0)
-          {
-               SESSION_LOG_ERROR("invalid evicted_session_filter_error_rate: %f, supported range: [0.0, 1.0]", opts->evicted_session_filter_error_rate);
-               return -1;
-          }
-     }
-
-     // TCP reassembly
-     if (opts->tcp_reassembly_enable)
-     {
-          if (opts->tcp_reassembly_max_timeout < 1 || opts->tcp_reassembly_max_timeout > 60000)
-          {
-               SESSION_LOG_ERROR("invalid tcp_reassembly_max_timeout: %u, supported range: [1, 60000]", opts->tcp_reassembly_max_timeout);
-               return -1;
-          }
-          if (opts->tcp_reassembly_max_segments < 2 || opts->tcp_reassembly_max_segments > 4096)
-          {
-               SESSION_LOG_ERROR("invalid tcp_reassembly_max_segments: %u, supported range: [2, 4096]", opts->tcp_reassembly_max_segments);
-               return -1;
-          }
-     }
-
-     return 0;
-}
-
-/******************************************************************************
- * TCP
+ * TCP utils
 ******************************************************************************/

 static void tcp_clean(struct session_manager *mgr, struct session *sess)
@@ -266,13 +141,13 @@ static void tcp_clean(struct session_manager *mgr, struct session *sess)

 static int tcp_init(struct session_manager *mgr, struct session *sess)
 {
-     if (!mgr->opts.tcp_reassembly_enable)
+     if (!mgr->cfg.tcp_reassembly_enable)
     {
          return 0;
     }

-     sess->tcp_halfs[FLOW_DIRECTION_C2S].assembler = tcp_reassembly_new(mgr->opts.tcp_reassembly_max_timeout, mgr->opts.tcp_reassembly_max_segments);
-     sess->tcp_halfs[FLOW_DIRECTION_S2C].assembler = tcp_reassembly_new(mgr->opts.tcp_reassembly_max_timeout, mgr->opts.tcp_reassembly_max_segments);
+     sess->tcp_halfs[FLOW_DIRECTION_C2S].assembler = tcp_reassembly_new(mgr->cfg.tcp_reassembly_max_timeout_ms, mgr->cfg.tcp_reassembly_max_segments);
+     sess->tcp_halfs[FLOW_DIRECTION_S2C].assembler = tcp_reassembly_new(mgr->cfg.tcp_reassembly_max_timeout_ms, mgr->cfg.tcp_reassembly_max_segments);
     if (sess->tcp_halfs[FLOW_DIRECTION_C2S].assembler == NULL || sess->tcp_halfs[FLOW_DIRECTION_S2C].assembler == NULL)
     {
          tcp_clean(mgr, sess);
@@ -305,7 +180,7 @@ static void tcp_update(struct session_manager *mgr, struct session *sess, enum f
     half->ack = tcp_hdr_get_ack(hdr);
     half->len = tcp_layer->pld_len;

-     if (!mgr->opts.tcp_reassembly_enable)
+     if (!mgr->cfg.tcp_reassembly_enable)
     {
          if (len)
          {
@@ -415,7 +290,7 @@ static void tcp_update(struct session_manager *mgr, struct session *sess, enum f
 }

 /******************************************************************************
- * Session Direction
+ * session direction identify
 ******************************************************************************/

 static enum flow_direction identify_direction_by_port(uint16_t src_port, uint16_t dst_port)
@@ -449,13 +324,13 @@ static enum flow_direction identify_direction_by_history(const struct session *s
 }

 /******************************************************************************
- * Session Filter
+ * session filter bypass utils
 ******************************************************************************/

 // on new session
 static int tcp_overload_bypass(struct session_manager *mgr, const struct tuple6 *key)
 {
-     if (key->ip_proto == IPPROTO_TCP && mgr->stat.tcp_sess_used >= mgr->opts.max_tcp_session_num)
+     if (key->ip_proto == IPPROTO_TCP && mgr->stat.tcp_sess_used >= mgr->cfg.max_tcp_session_num)
     {
          mgr->stat.tcp_pkts_bypass_table_full++;
          return 1;
@@ -465,7 +340,7 @@ static int tcp_overload_bypass(struct session_manager *mgr, const struct tuple6

 static int udp_overload_bypass(struct session_manager *mgr, const struct tuple6 *key)
 {
-     if (key->ip_proto == IPPROTO_UDP && mgr->stat.udp_sess_used >= mgr->opts.max_udp_session_num)
+     if (key->ip_proto == IPPROTO_UDP && mgr->stat.udp_sess_used >= mgr->cfg.max_udp_session_num)
     {
          mgr->stat.udp_pkts_bypass_table_full++;
          return 1;
@@ -475,7 +350,7 @@ static int udp_overload_bypass(struct session_manager *mgr, const struct tuple6

 static int evicted_session_bypass(struct session_manager *mgr, const struct tuple6 *key)
 {
-     if (mgr->opts.evicted_session_filter_enable && session_filter_lookup(mgr->evicte_sess_filter, key, mgr->now_ms))
+     if (mgr->cfg.evicted_session_filter_enable && session_filter_lookup(mgr->evicte_sess_filter, key, mgr->now_ms))
     {
          mgr->stat.udp_pkts_bypass_session_evicted++;
          return 1;
@@ -487,7 +362,7 @@ static int evicted_session_bypass(struct session_manager *mgr, const struct tupl
 // on update session
 static int duplicated_packet_bypass(struct session_manager *mgr, struct session *sess, const struct packet *pkt, const struct tuple6 *key)
 {
-     if (mgr->opts.duplicated_packet_filter_enable == 0)
+     if (mgr->cfg.duplicated_packet_filter_enable == 0)
     {
          return 0;
     }
@@ -528,7 +403,7 @@ static int duplicated_packet_bypass(struct session_manager *mgr, struct session
 }

 /******************************************************************************
- * Session Manager
+ * session manager utils
 ******************************************************************************/

 static void session_update(struct session_manager *mgr, struct session *sess, enum session_state next_state, const struct packet *pkt, const struct tuple6 *key, enum flow_direction dir)
@@ -642,7 +517,7 @@ static void session_manager_evicte_session(struct session_manager *mgr, struct s
     case SESSION_TYPE_UDP:
          SESSION_LOG_DEBUG("evicte udp old session: %lu", session_get_id(sess));
          session_table_del(mgr->udp_sess_table, sess);
-          if (mgr->opts.evicted_session_filter_enable)
+          if (mgr->cfg.evicted_session_filter_enable)
          {
               session_filter_add(mgr->evicte_sess_filter, session_get_tuple6(sess), mgr->now_ms);
          }
@@ -699,7 +574,7 @@ static struct session *session_manager_new_tcp_session(struct session_manager *m
     }

     // tcp table full evict old session
-     if (mgr->opts.tcp_overload_evict_old_sess && mgr->stat.tcp_sess_used >= mgr->opts.max_tcp_session_num - EVICTE_SESSION_BURST)
+     if (mgr->cfg.tcp_overload_evict_old_sess && mgr->stat.tcp_sess_used >= mgr->cfg.max_tcp_session_num - EVICTE_SESSION_BURST)
     {
          struct session *evic_sess = session_table_find_lru(mgr->tcp_sess_table);
          session_manager_evicte_session(mgr, evic_sess, LRU_EVICT);
@@ -728,11 +603,11 @@ static struct session *session_manager_new_tcp_session(struct session_manager *m
     }
     tcp_update(mgr, sess, dir, tcp_layer);

-     uint64_t timeout = (flags & TH_ACK) ? mgr->opts.tcp_handshake_timeout : mgr->opts.tcp_init_timeout;
+     uint64_t timeout = (flags & TH_ACK) ? mgr->cfg.tcp_handshake_timeout_ms : mgr->cfg.tcp_init_timeout_ms;
     session_timer_update(mgr->sess_timer, sess, mgr->now_ms + timeout);
     session_table_add(mgr->tcp_sess_table, sess);

-     if (mgr->opts.duplicated_packet_filter_enable)
+     if (mgr->cfg.duplicated_packet_filter_enable)
     {
          packet_filter_add(mgr->dup_pkt_filter, pkt, mgr->now_ms);
     }
@@ -747,7 +622,7 @@ static struct session *session_manager_new_tcp_session(struct session_manager *m
 static struct session *session_manager_new_udp_session(struct session_manager *mgr, const struct packet *pkt, const struct tuple6 *key)
 {
     // udp table full evict old session
-     if (mgr->opts.udp_overload_evict_old_sess && mgr->stat.udp_sess_used >= mgr->opts.max_udp_session_num - EVICTE_SESSION_BURST)
+     if (mgr->cfg.udp_overload_evict_old_sess && mgr->stat.udp_sess_used >= mgr->cfg.max_udp_session_num - EVICTE_SESSION_BURST)
     {
          struct session *evic_sess = session_table_find_lru(mgr->udp_sess_table);
          session_manager_evicte_session(mgr, evic_sess, LRU_EVICT);
@@ -768,7 +643,7 @@ static struct session *session_manager_new_udp_session(struct session_manager *m
     session_update(mgr, sess, next_state, pkt, key, dir);
     session_transition_log(sess, SESSION_STATE_INIT, next_state, UDP_DATA);

-     session_timer_update(mgr->sess_timer, sess, mgr->now_ms + mgr->opts.udp_data_timeout);
+     session_timer_update(mgr->sess_timer, sess, mgr->now_ms + mgr->cfg.udp_data_timeout_ms);
     session_table_add(mgr->udp_sess_table, sess);

     SESS_MGR_STAT_INC(&mgr->stat, next_state, udp);
@@ -823,34 +698,34 @@ static int session_manager_update_tcp_session(struct session_manager *mgr, struc
     case SESSION_STATE_OPENING:
          if (flags & TH_SYN)
          {
-               timeout = (flags & TH_ACK) ? mgr->opts.tcp_handshake_timeout : mgr->opts.tcp_init_timeout;
+               timeout = (flags & TH_ACK) ? mgr->cfg.tcp_handshake_timeout_ms : mgr->cfg.tcp_init_timeout_ms;
          }
          else
          {
-               timeout = mgr->opts.tcp_data_timeout;
+               timeout = mgr->cfg.tcp_data_timeout_ms;
          }
          break;
     case SESSION_STATE_ACTIVE:
-          timeout = mgr->opts.tcp_data_timeout;
+          timeout = mgr->cfg.tcp_data_timeout_ms;
          break;
     case SESSION_STATE_CLOSING:
          if (flags & TH_FIN)
          {
-               timeout = (peer->history & TH_FIN) ? mgr->opts.tcp_time_wait_timeout : mgr->opts.tcp_half_closed_timeout;
+               timeout = (peer->history & TH_FIN) ? mgr->cfg.tcp_time_wait_timeout_ms : mgr->cfg.tcp_half_closed_timeout_ms;
          }
          else if (flags & TH_RST)
          {
               // if fin is received, the expected sequence number should be increased by 1
               uint32_t expected = (peer->history & TH_FIN) ? peer->ack + 1 : peer->ack;
-               timeout = (expected == curr->seq) ? mgr->opts.tcp_time_wait_timeout : mgr->opts.tcp_unverified_rst_timeout;
+               timeout = (expected == curr->seq) ? mgr->cfg.tcp_time_wait_timeout_ms : mgr->cfg.tcp_unverified_rst_timeout_ms;
          }
          else
          {
-               timeout = mgr->opts.tcp_data_timeout;
+               timeout = mgr->cfg.tcp_data_timeout_ms;
          }
          break;
     case SESSION_STATE_DISCARD:
-          timeout = mgr->opts.tcp_discard_timeout;
+          timeout = mgr->cfg.tcp_discard_timeout_ms;
          break;
     default:
          assert(0);
@@ -873,11 +748,11 @@ static int session_manager_update_udp_session(struct session_manager *mgr, struc

     if (session_get_current_state(sess) == SESSION_STATE_DISCARD)
     {
-          session_timer_update(mgr->sess_timer, sess, mgr->now_ms + mgr->opts.udp_discard_timeout);
+          session_timer_update(mgr->sess_timer, sess, mgr->now_ms + mgr->cfg.udp_discard_timeout_ms);
     }
     else
     {
-          session_timer_update(mgr->sess_timer, sess, mgr->now_ms + mgr->opts.udp_data_timeout);
+          session_timer_update(mgr->sess_timer, sess, mgr->now_ms + mgr->cfg.udp_data_timeout_ms);
     }

     SESS_MGR_STAT_UPDATE(&mgr->stat, curr_state, next_state, udp);
@@ -885,25 +760,230 @@ static int session_manager_update_udp_session(struct session_manager *mgr, struc
     return 0;
 }

+static inline uint8_t ipv4_in_range(const struct in_addr *addr, const struct in_addr *start, const struct in_addr *end)
+{
+     return (memcmp(addr, start, sizeof(struct in_addr)) >= 0 && memcmp(addr, end, sizeof(struct in_addr)) <= 0);
+}
+
+static inline uint8_t ipv6_in_range(const struct in6_addr *addr, const struct in6_addr *start, const struct in6_addr *end)
+{
+     return (memcmp(addr, start, sizeof(struct in6_addr)) >= 0 && memcmp(addr, end, sizeof(struct in6_addr)) <= 0);
+}
+
 /******************************************************************************
- * Public API
+ * session manager public API
 ******************************************************************************/

-struct session_manager *session_manager_new(struct session_manager_options *opts, uint64_t now_ms)
+#define PARSE_AND_CHECK_NUM(table, key, val, min, max)                                                                        \
+     do                                                                                                                       \
+     {                                                                                                                        \
+          const char *ptr = toml_raw_in(table, (key));                                                                        \
+          if (ptr == NULL)                                                                                                    \
+          {                                                                                                                   \
+               SESSION_LOG_ERROR("config file missing session_manager.%s", (key));                                            \
+               goto error_out;                                                                                                \
+          }                                                                                                                   \
+          (val) = atoll(ptr);                                                                                                 \
+          if ((val) < (min) || (val) > (max))                                                                                 \
+          {                                                                                                                   \
+               SESSION_LOG_ERROR("invalid session_manager.%s: %lu, supported range: [%lu, %lu]", (key), (val), (min), (max)); \
+               goto error_out;                                                                                                \
+          }                                                                                                                   \
+     } while (0)
+
+#define PARSE_AND_CHECK_DOUBLE(table, key, val, min, max)                                                                   \
+     do                                                                                                                     \
+     {                                                                                                                      \
+          const char *ptr = toml_raw_in(table, (key));                                                                      \
+          if (ptr == NULL)                                                                                                  \
+          {                                                                                                                 \
+               SESSION_LOG_ERROR("config file missing session_manager.%s", (key));                                          \
+               goto error_out;                                                                                              \
+          }                                                                                                                 \
+          (val) = atof(ptr);                                                                                                \
+          if ((val) < (min) || (val) > (max))                                                                               \
+          {                                                                                                                 \
+               SESSION_LOG_ERROR("invalid session_manager.%s: %lu, supported range: [%f, %f]", (key), (val), (min), (max)); \
+               goto error_out;                                                                                              \
+          }                                                                                                                 \
+     } while (0)
+
+int session_manager_config_load(struct session_manager_config *cfg, const char *toml_file)
 {
-     if (check_options(opts) == -1)
+     int ret = -1;
+     char errbuf[200];
+     FILE *fp = NULL;
+     toml_table_t *root = NULL;
+     toml_table_t *table = NULL;
+
+     uint64_t zero = 0; // make compiler happy
+
+     fp = fopen(toml_file, "r");
+     if (fp == NULL)
+     {
+          SESSION_LOG_ERROR("config file %s open failed, %s", toml_file, strerror(errno));
+          goto error_out;
+     }
+
+     root = toml_parse_file(fp, errbuf, sizeof(errbuf));
+     if (root == NULL)
+     {
+          SESSION_LOG_ERROR("config file %s parse failed, %s", toml_file, errbuf);
+          goto error_out;
+     }
+
+     table = toml_table_in(root, "session_manager");
+     if (table == NULL)
+     {
+          SESSION_LOG_ERROR("config file %s missing session_manager", toml_file);
+          goto error_out;
+     }
+
+     // max session number
+     PARSE_AND_CHECK_NUM(table, "max_tcp_session_num", cfg->max_tcp_session_num, EVICTE_SESSION_BURST * 2, UINT64_MAX);
+     PARSE_AND_CHECK_NUM(table, "max_udp_session_num", cfg->max_udp_session_num, EVICTE_SESSION_BURST * 2, UINT64_MAX);
+
+     // session overload
+     PARSE_AND_CHECK_NUM(table, "tcp_overload_evict_old_sess", cfg->tcp_overload_evict_old_sess, zero, 1);
+     PARSE_AND_CHECK_NUM(table, "udp_overload_evict_old_sess", cfg->udp_overload_evict_old_sess, zero, 1);
+
+     // TCP timeout
+     PARSE_AND_CHECK_NUM(table, "tcp_init_timeout_ms", cfg->tcp_init_timeout_ms, 1, 60000);
+     PARSE_AND_CHECK_NUM(table, "tcp_handshake_timeout_ms", cfg->tcp_handshake_timeout_ms, 1, 60000);
+     PARSE_AND_CHECK_NUM(table, "tcp_data_timeout_ms", cfg->tcp_data_timeout_ms, 1, 15999999000);
+     PARSE_AND_CHECK_NUM(table, "tcp_half_closed_timeout_ms", cfg->tcp_half_closed_timeout_ms, 1, 604800000);
+     PARSE_AND_CHECK_NUM(table, "tcp_time_wait_timeout_ms", cfg->tcp_time_wait_timeout_ms, 1, 60000);
+     PARSE_AND_CHECK_NUM(table, "tcp_discard_timeout_ms", cfg->tcp_discard_timeout_ms, 1, 15999999000);
+     PARSE_AND_CHECK_NUM(table, "tcp_unverified_rst_timeout_ms", cfg->tcp_unverified_rst_timeout_ms, 1, 60000);
+
+     // UDP timeout
+     PARSE_AND_CHECK_NUM(table, "udp_data_timeout_ms", cfg->udp_data_timeout_ms, 1, 15999999000);
+     PARSE_AND_CHECK_NUM(table, "udp_discard_timeout_ms", cfg->udp_discard_timeout_ms, 1, 15999999000);
+
+     // limit
+     PARSE_AND_CHECK_NUM(table, "session_expire_polling_interval_ms", cfg->session_expire_polling_interval_ms, zero, 60000);
+     PARSE_AND_CHECK_NUM(table, "session_expire_polling_limit", cfg->session_expire_polling_limit, 1, 1024);
+
+     // duplicated packet filter
+     PARSE_AND_CHECK_NUM(table, "duplicated_packet_filter_enable", cfg->duplicated_packet_filter_enable, zero, 1);
+     PARSE_AND_CHECK_NUM(table, "duplicated_packet_filter_capacity", cfg->duplicated_packet_filter_capacity, 1, 4294967295);
+     PARSE_AND_CHECK_NUM(table, "duplicated_packet_filter_timeout_ms", cfg->duplicated_packet_filter_timeout_ms, 1, 60000);
+     PARSE_AND_CHECK_DOUBLE(table, "duplicated_packet_filter_error_rate", cfg->duplicated_packet_filter_error_rate, 0.0, 1.0);
+
+     // eviction session filter
+     PARSE_AND_CHECK_NUM(table, "evicted_session_filter_enable", cfg->evicted_session_filter_enable, zero, 1);
+     PARSE_AND_CHECK_NUM(table, "evicted_session_filter_capacity", cfg->evicted_session_filter_capacity, 1, 4294967295);
+     PARSE_AND_CHECK_NUM(table, "evicted_session_filter_timeout_ms", cfg->evicted_session_filter_timeout_ms, 1, 60000);
+     PARSE_AND_CHECK_DOUBLE(table, "evicted_session_filter_error_rate", cfg->evicted_session_filter_error_rate, 0.0, 1.0);
+
+     // TCP reassembly
+     PARSE_AND_CHECK_NUM(table, "tcp_reassembly_enable", cfg->tcp_reassembly_enable, zero, 1);
+     PARSE_AND_CHECK_NUM(table, "tcp_reassembly_max_timeout_ms", cfg->tcp_reassembly_max_timeout_ms, 1, 60000);
+     PARSE_AND_CHECK_NUM(table, "tcp_reassembly_max_segments", cfg->tcp_reassembly_max_segments, 1, 512);
+
+     ret = 0;
+error_out:
+     if (root)
+     {
+          toml_free(root);
+     }
+     if (fp)
+     {
+          fclose(fp);
+     }
+
+     return ret;
+}
+
+struct session_manager_config *session_manager_config_new(const char *toml_file)
+{
+     if (toml_file == NULL)
     {
          return NULL;
     }

+     struct session_manager_config *cfg = (struct session_manager_config *)calloc(1, sizeof(struct session_manager_config));
+     if (cfg == NULL)
+     {
+          return NULL;
+     }
+
+     if (session_manager_config_load(cfg, toml_file) == -1)
+     {
+          session_manager_config_free(cfg);
+          return NULL;
+     }
+
+     return cfg;
+}
+
+void session_manager_config_free(struct session_manager_config *cfg)
+{
+     if (cfg)
+     {
+          free(cfg);
+          cfg = NULL;
+     }
+}
+
+void session_manager_config_print(struct session_manager_config *cfg)
+{
+     if (cfg)
+     {
+          // max session number
+          SESSION_LOG_INFO("session_manager.max_tcp_session_num                 : %lu", cfg->max_tcp_session_num);
+          SESSION_LOG_INFO("session_manager.max_udp_session_num                 : %lu", cfg->max_udp_session_num);
+
+          // session overload
+          SESSION_LOG_INFO("session_manager.tcp_overload_evict_old_sess         : %d", cfg->tcp_overload_evict_old_sess);
+          SESSION_LOG_INFO("session_manager.udp_overload_evict_old_sess         : %d", cfg->udp_overload_evict_old_sess);
+
+          // TCP timeout
+          SESSION_LOG_INFO("session_manager.tcp_init_timeout_ms                 : %lu", cfg->tcp_init_timeout_ms);
+          SESSION_LOG_INFO("session_manager.tcp_handshake_timeout_ms            : %lu", cfg->tcp_handshake_timeout_ms);
+          SESSION_LOG_INFO("session_manager.tcp_data_timeout_ms                 : %lu", cfg->tcp_data_timeout_ms);
+          SESSION_LOG_INFO("session_manager.tcp_half_closed_timeout_ms          : %lu", cfg->tcp_half_closed_timeout_ms);
+          SESSION_LOG_INFO("session_manager.tcp_time_wait_timeout_ms            : %lu", cfg->tcp_time_wait_timeout_ms);
+          SESSION_LOG_INFO("session_manager.tcp_discard_timeout_ms              : %lu", cfg->tcp_discard_timeout_ms);
+          SESSION_LOG_INFO("session_manager.tcp_unverified_rst_timeout_ms       : %lu", cfg->tcp_unverified_rst_timeout_ms);
+
+          // UDP timeout
+          SESSION_LOG_INFO("session_manager.udp_data_timeout_ms                 : %lu", cfg->udp_data_timeout_ms);
+          SESSION_LOG_INFO("session_manager.udp_discard_timeout_ms              : %lu", cfg->udp_discard_timeout_ms);
+
+          // limit
+          SESSION_LOG_INFO("session_manager.session_expire_polling_interval_ms  : %lu", cfg->session_expire_polling_interval_ms);
+          SESSION_LOG_INFO("session_manager.session_expire_polling_limit        : %lu", cfg->session_expire_polling_limit);
+
+          // duplicated packet filter
+          SESSION_LOG_INFO("session_manager.duplicated_packet_filter_enable     : %d", cfg->duplicated_packet_filter_enable);
+          SESSION_LOG_INFO("session_manager.duplicated_packet_filter_capacity   : %lu", cfg->duplicated_packet_filter_capacity);
+          SESSION_LOG_INFO("session_manager.duplicated_packet_filter_timeout_ms : %lu", cfg->duplicated_packet_filter_timeout_ms);
+          SESSION_LOG_INFO("session_manager.duplicated_packet_filter_error_rate : %f", cfg->duplicated_packet_filter_error_rate);
+
+          // eviction session filter
+          SESSION_LOG_INFO("session_manager.evicted_session_filter_enable       : %d", cfg->evicted_session_filter_enable);
+          SESSION_LOG_INFO("session_manager.evicted_session_filter_capacity     : %lu", cfg->evicted_session_filter_capacity);
+          SESSION_LOG_INFO("session_manager.evicted_session_filter_timeout_ms   : %lu", cfg->evicted_session_filter_timeout_ms);
+          SESSION_LOG_INFO("session_manager.evicted_session_filter_error_rate   : %f", cfg->evicted_session_filter_error_rate);
+
+          // TCP reassembly
+          SESSION_LOG_INFO("session_manager.tcp_reassembly_enable               : %d", cfg->tcp_reassembly_enable);
+          SESSION_LOG_INFO("session_manager.tcp_reassembly_max_timeout_ms       : %lu", cfg->tcp_reassembly_max_timeout_ms);
+          SESSION_LOG_INFO("session_manager.tcp_reassembly_max_segments         : %lu", cfg->tcp_reassembly_max_segments);
+     }
+}
+
+struct session_manager *session_manager_new(const struct session_manager_config *cfg, uint64_t now_ms)
+{
     struct session_manager *mgr = (struct session_manager *)calloc(1, sizeof(struct session_manager));
     if (mgr == NULL)
     {
          return NULL;
     }
-     memcpy(&mgr->opts, opts, sizeof(struct session_manager_options));
+     memcpy(&mgr->cfg, cfg, sizeof(struct session_manager_config));

-     mgr->sess_pool = session_pool_new(mgr->opts.max_tcp_session_num + mgr->opts.max_udp_session_num);
+     mgr->sess_pool = session_pool_new(mgr->cfg.max_tcp_session_num + mgr->cfg.max_udp_session_num);
     mgr->tcp_sess_table = session_table_new();
     mgr->udp_sess_table = session_table_new();
     mgr->sess_timer = session_timer_new(now_ms);
@@ -911,21 +991,21 @@ struct session_manager *session_manager_new(struct session_manager_options *opts
     {
          goto error;
     }
-     if (mgr->opts.evicted_session_filter_enable)
+     if (mgr->cfg.evicted_session_filter_enable)
     {
-          mgr->evicte_sess_filter = session_filter_new(mgr->opts.evicted_session_filter_capacity,
-                                                       mgr->opts.evicted_session_filter_timeout,
-                                                       mgr->opts.evicted_session_filter_error_rate, now_ms);
+          mgr->evicte_sess_filter = session_filter_new(mgr->cfg.evicted_session_filter_capacity,
+                                                       mgr->cfg.evicted_session_filter_timeout_ms,
+                                                       mgr->cfg.evicted_session_filter_error_rate, now_ms);
          if (mgr->evicte_sess_filter == NULL)
          {
               goto error;
          }
     }
-     if (mgr->opts.duplicated_packet_filter_enable)
+     if (mgr->cfg.duplicated_packet_filter_enable)
     {
-          mgr->dup_pkt_filter = packet_filter_new(mgr->opts.duplicated_packet_filter_capacity,
-                                                  mgr->opts.duplicated_packet_filter_timeout,
-                                                  mgr->opts.duplicated_packet_filter_error_rate, now_ms);
+          mgr->dup_pkt_filter = packet_filter_new(mgr->cfg.duplicated_packet_filter_capacity,
+                                                  mgr->cfg.duplicated_packet_filter_timeout_ms,
+                                                  mgr->cfg.duplicated_packet_filter_error_rate, now_ms);
          if (mgr->dup_pkt_filter == NULL)
          {
               goto error;
@@ -935,6 +1015,7 @@ struct session_manager *session_manager_new(struct session_manager_options *opts
     INIT_LIST_HEAD(&mgr->evicte_queue);
     session_transition_init();
     mgr->now_ms = now_ms;
+     mgr->last_clean_expired_sess_ts = now_ms;

     return mgr;

@@ -965,11 +1046,11 @@ void session_manager_free(struct session_manager *mgr)
          {
               session_manager_free_session(mgr, sess);
          }
-          if (mgr->opts.evicted_session_filter_enable)
+          if (mgr->cfg.evicted_session_filter_enable)
          {
               session_filter_free(mgr->evicte_sess_filter);
          }
-          if (mgr->opts.duplicated_packet_filter_enable)
+          if (mgr->cfg.duplicated_packet_filter_enable)
          {
               packet_filter_free(mgr->dup_pkt_filter);
          }
@@ -989,7 +1070,7 @@ void session_manager_set_session_id_generator(struct session_manager *mgr, sessi

 void session_manager_record_duplicated_packet(struct session_manager *mgr, const struct packet *pkt)
 {
-     if (mgr->opts.duplicated_packet_filter_enable)
+     if (mgr->cfg.duplicated_packet_filter_enable)
     {
          packet_filter_add(mgr->dup_pkt_filter, pkt, mgr->now_ms);
     }
@@ -1174,10 +1255,10 @@ struct session *session_manager_get_expired_session(struct session_manager *mgr,
               switch (session_get_type(sess))
               {
               case SESSION_TYPE_TCP:
-                    session_timer_update(mgr->sess_timer, sess, now_ms + mgr->opts.tcp_data_timeout);
+                    session_timer_update(mgr->sess_timer, sess, now_ms + mgr->cfg.tcp_data_timeout_ms);
                    break;
               case SESSION_TYPE_UDP:
-                    session_timer_update(mgr->sess_timer, sess, now_ms + mgr->opts.udp_data_timeout);
+                    session_timer_update(mgr->sess_timer, sess, now_ms + mgr->cfg.udp_data_timeout_ms);
                    break;
               default:
                    assert(0);
@@ -1204,6 +1285,55 @@ struct session *session_manager_get_evicted_session(struct session_manager *mgr)
     }
 }

+// array_size at least EVICTE_SESSION_BURST, suggest 2 * EVICTE_SESSION_BURST
+uint64_t session_manager_clean_session(struct session_manager *mgr, uint64_t now_ms, struct session *cleaned_sess[], uint64_t array_size)
+{
+     mgr->now_ms = now_ms;
+     struct session *sess = NULL;
+     uint64_t cleaned_sess_num = 0;
+     uint64_t expired_sess_num = 0;
+
+     uint8_t expired_sess_canbe_clean = 0;
+     if (now_ms - mgr->last_clean_expired_sess_ts >= mgr->cfg.session_expire_polling_interval_ms)
+     {
+          expired_sess_canbe_clean = 1;
+     }
+
+     for (uint64_t i = 0; i < array_size; i++)
+     {
+          // frist clean evicted session
+          sess = session_manager_get_evicted_session(mgr);
+          if (sess)
+          {
+               cleaned_sess[cleaned_sess_num++] = sess;
+          }
+          // then clean expired session
+          else
+          {
+               if (expired_sess_canbe_clean && expired_sess_num < mgr->cfg.session_expire_polling_limit)
+               {
+                    mgr->last_clean_expired_sess_ts = now_ms;
+                    sess = session_manager_get_expired_session(mgr, now_ms);
+                    if (sess)
+                    {
+                         cleaned_sess[cleaned_sess_num++] = sess;
+                         expired_sess_num++;
+                    }
+                    else
+                    {
+                         break;
+                    }
+               }
+               else
+               {
+                    break;
+               }
+          }
+     }
+
+     return cleaned_sess_num;
+}
+
 uint64_t session_manager_get_expire_interval(struct session_manager *mgr)
 {
     return session_timer_next_expire_interval(mgr->sess_timer);
@@ -1226,11 +1356,11 @@ void session_set_discard(struct session *sess)
     switch (type)
     {
     case SESSION_TYPE_TCP:
-          session_timer_update(mgr->sess_timer, sess, mgr->now_ms + mgr->opts.tcp_discard_timeout);
+          session_timer_update(mgr->sess_timer, sess, mgr->now_ms + mgr->cfg.tcp_discard_timeout_ms);
          SESS_MGR_STAT_UPDATE(&mgr->stat, curr_state, next_state, tcp);
          break;
     case SESSION_TYPE_UDP:
-          session_timer_update(mgr->sess_timer, sess, mgr->now_ms + mgr->opts.udp_discard_timeout);
+          session_timer_update(mgr->sess_timer, sess, mgr->now_ms + mgr->cfg.udp_discard_timeout_ms);
          SESS_MGR_STAT_UPDATE(&mgr->stat, curr_state, next_state, udp);
          break;
     default:
@@ -1239,16 +1369,6 @@ void session_set_discard(struct session *sess)
     }
 }

-static inline uint8_t ipv4_in_range(const struct in_addr *addr, const struct in_addr *start, const struct in_addr *end)
-{
-     return (memcmp(addr, start, sizeof(struct in_addr)) >= 0 && memcmp(addr, end, sizeof(struct in_addr)) <= 0);
-}
-
-static inline uint8_t ipv6_in_range(const struct in6_addr *addr, const struct in6_addr *start, const struct in6_addr *end)
-{
-     return (memcmp(addr, start, sizeof(struct in6_addr)) >= 0 && memcmp(addr, end, sizeof(struct in6_addr)) <= 0);
-}
-
 uint64_t session_manager_scan(const struct session_manager *mgr, const struct session_scan_opts *opts, uint64_t mached_sess_ids[], uint64_t array_size)
 {
     uint64_t capacity = 0;