OpenVZ Forum: Devel » [PATCH 2.6.21-rc6] [netfilter] early

Home » Mailing lists » Devel » [PATCH 2.6.21-rc6] [netfilter] early_drop imrovement

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Re: [PATCH 2.6.21-rc6] [netfilter] early_drop imrovement [message #11792 is a reply to message #11789]

Fri, 06 April 2007 15:08

Patrick McHardy
Messages: 107
Registered: March 2006

Senior Member

Vasily Averin wrote:
> No, I've not investigated this scenario. It looks like you are right and my
> patch can leads to a long delays.
>
> In my experiments I've decreased ip_conntrack_max lower than number of hash
> buckets and got the "table full, dropping packet" errors in logs. I've looked on
> the conntrack list and found a huge number of conntracks that can be freed.
> However my hash bucket was empty and therefore I even did not have any chances
> to free something. That's why I would like to check the other hash buckets too.
>
> Ok, let's limit the number of conntracks that can be checked inside
> early_drop(). What do you prefer: some round number (for example 100) or
> fraction of ip_conntrack_max (for example 1%)?

A (small) fraction sounds better. We could even consider keeping track
of the number of conntracks that can be evicted (not assured), so in a
DOS situation we could save unnecessary table scans. Not sure if its
worth the effort though.

Anyway, please base your patch on the net-2.6.22 tree, which doesn't
include ip_conntrack anymore.

Report message to a moderator

[Message index]

		[PATCH 2.6.21-rc6] [netfilter] early_drop imrovement By: vaverin on Fri, 06 April 2007 08:00
		Re: [PATCH 2.6.21-rc6] [netfilter] early_drop imrovement By: Eric Dumazet on Fri, 06 April 2007 08:24
		Re: [PATCH 2.6.21-rc6] [netfilter] early_drop imrovement By: vaverin on Fri, 06 April 2007 10:26
		Re: [PATCH 2.6.21-rc6] [netfilter] early_drop imrovement By: Patrick McHardy on Fri, 06 April 2007 15:08
		[PATCH nf-2.6.22] [netfilter] early_drop imrovement By: vaverin on Sat, 07 April 2007 11:45
		Re: [PATCH nf-2.6.22] [netfilter] early_drop imrovement By: Eric Dumazet on Sat, 07 April 2007 12:08
		Re: [PATCH nf-2.6.22] [netfilter] early_drop imrovement By: vaverin on Sun, 08 April 2007 05:02
		[NETFILTER] early_drop() imrovement (v3) By: vaverin on Wed, 09 May 2007 06:59
		Re: [NETFILTER] early_drop() imrovement (v3) By: Patrick McHardy on Mon, 25 June 2007 13:53
		Re: [NETFILTER] early_drop() imrovement (v3) By: vaverin on Tue, 26 June 2007 13:20
		Re: [NETFILTER] early_drop() imrovement (v3) By: Patrick McHardy on Tue, 26 June 2007 13:27
		[NETFILTER] early_drop() imrovement (v4) By: vaverin on Wed, 27 June 2007 08:46
		Re: [NETFILTER] early_drop() imrovement (v4) By: Patrick McHardy on Wed, 27 June 2007 08:52
		Re: [NETFILTER] early_drop() imrovement (v4) By: Patrick McHardy on Wed, 27 June 2007 12:04
		Re: [NETFILTER] early_drop() imrovement (v4) By: vaverin on Wed, 27 June 2007 12:29
		Re: [NETFILTER] early_drop() imrovement (v4) By: Patrick McHardy on Wed, 27 June 2007 12:51
		Re: [NETFILTER] early_drop() imrovement (v4) By: vaverin on Wed, 27 June 2007 13:02
		Re: [NETFILTER] early_drop() imrovement (v4) By: Patrick McHardy on Wed, 27 June 2007 13:18
		Re: [NETFILTER] early_drop() imrovement (v4) By: Patrick McHardy on Wed, 27 June 2007 13:23
		Re: [NETFILTER] early_drop() imrovement (v4) By: vaverin on Wed, 27 June 2007 13:25
		Re: [NETFILTER] early_drop() imrovement (v4) By: Patrick McHardy on Wed, 27 June 2007 13:28
		Re: [NETFILTER] early_drop() imrovement (v4) By: Patrick McHardy on Wed, 27 June 2007 13:35
		Re: [NETFILTER] early_drop() imrovement (v4) By: Patrick McHardy on Wed, 27 June 2007 13:54
		Re: [NETFILTER] early_drop() imrovement (v4) By: Rusty Russell on Mon, 02 July 2007 19:56
		Re: [NETFILTER] early_drop() imrovement (v4) By: Patrick McHardy on Tue, 03 July 2007 11:42
		Re: [NETFILTER] early_drop() imrovement (v4) By: Martin Josefsson on Tue, 03 July 2007 06:39
		Re: [NETFILTER] early_drop() imrovement (v3) By: Jan Engelhardt on Mon, 25 June 2007 14:36

Previous Topic:	[PATCH 1/2] signal checkpoint: define /proc/pid/sig/
Next Topic:	[PATCH] .gitignore update

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Tue Jan 13 20:55:51 GMT 2026

Total time taken to generate the page: 0.56808 seconds