OpenVZ Forum: Devel » [PATCH 2.6.21-rc6] [netfilter] early

Home » Mailing lists » Devel » [PATCH 2.6.21-rc6] [netfilter] early_drop imrovement

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Re: [NETFILTER] early_drop() imrovement (v3) [message #14371 is a reply to message #14370]

Tue, 26 June 2007 13:27

Patrick McHardy
Messages: 107
Registered: March 2006

Senior Member

Vasily Averin wrote:
> Patrick McHardy wrote:
>> I don't like the NF_CT_PER_BUCKET constant. First of all, each
>> conntrack is hashed twice, so its really only 1/2 of the average
>> conntracks per bucket. Secondly, its only a default and many
>> people use nf_conntrack_max = nf_conntrack_htable_size / 2, so
>> using this constant for early_drop seems wrong.
>>
>> Perhaps make it 2 * nf_conntrack_max / nf_conntrack_htable_size
>> or even add a nf_conntrack_eviction_range sysctl.
>>
>
> IMHO The number of conntracks checked in early_drop() have following restrictions:
> - it should be not too low -- to decrease chances of transmission failures,
> - it should be limited by some reasonable value -- to prevent long check delays.

Agreed.

> Also I believe it makes sense to have it constant (how about NF_CT_EVICTION
> name?) -- to have the same behaviour on various nodes. However I doubt strongly
> that anybody will want to change this value. Do you think it is really required?
>

I don't know. The current behaviour will on average scan 16 entries.
For people manually tuning their hash to saner settings it will scan
a single entry. So we have a quite wide range of values already.
The single entry with sane hash settings is too little IMO, maybe use
some middle-ground, make it 8 by default as you did and rename the
constant. NF_CT_EVICTION_RANGE sounds fine.

Report message to a moderator

[Message index]

		[PATCH 2.6.21-rc6] [netfilter] early_drop imrovement By: vaverin on Fri, 06 April 2007 08:00
		Re: [PATCH 2.6.21-rc6] [netfilter] early_drop imrovement By: Eric Dumazet on Fri, 06 April 2007 08:24
		Re: [PATCH 2.6.21-rc6] [netfilter] early_drop imrovement By: vaverin on Fri, 06 April 2007 10:26
		Re: [PATCH 2.6.21-rc6] [netfilter] early_drop imrovement By: Patrick McHardy on Fri, 06 April 2007 15:08
		[PATCH nf-2.6.22] [netfilter] early_drop imrovement By: vaverin on Sat, 07 April 2007 11:45
		Re: [PATCH nf-2.6.22] [netfilter] early_drop imrovement By: Eric Dumazet on Sat, 07 April 2007 12:08
		Re: [PATCH nf-2.6.22] [netfilter] early_drop imrovement By: vaverin on Sun, 08 April 2007 05:02
		[NETFILTER] early_drop() imrovement (v3) By: vaverin on Wed, 09 May 2007 06:59
		Re: [NETFILTER] early_drop() imrovement (v3) By: Patrick McHardy on Mon, 25 June 2007 13:53
		Re: [NETFILTER] early_drop() imrovement (v3) By: vaverin on Tue, 26 June 2007 13:20
		Re: [NETFILTER] early_drop() imrovement (v3) By: Patrick McHardy on Tue, 26 June 2007 13:27
		[NETFILTER] early_drop() imrovement (v4) By: vaverin on Wed, 27 June 2007 08:46
		Re: [NETFILTER] early_drop() imrovement (v4) By: Patrick McHardy on Wed, 27 June 2007 08:52
		Re: [NETFILTER] early_drop() imrovement (v4) By: Patrick McHardy on Wed, 27 June 2007 12:04
		Re: [NETFILTER] early_drop() imrovement (v4) By: vaverin on Wed, 27 June 2007 12:29
		Re: [NETFILTER] early_drop() imrovement (v4) By: Patrick McHardy on Wed, 27 June 2007 12:51
		Re: [NETFILTER] early_drop() imrovement (v4) By: vaverin on Wed, 27 June 2007 13:02
		Re: [NETFILTER] early_drop() imrovement (v4) By: Patrick McHardy on Wed, 27 June 2007 13:18
		Re: [NETFILTER] early_drop() imrovement (v4) By: Patrick McHardy on Wed, 27 June 2007 13:23
		Re: [NETFILTER] early_drop() imrovement (v4) By: vaverin on Wed, 27 June 2007 13:25
		Re: [NETFILTER] early_drop() imrovement (v4) By: Patrick McHardy on Wed, 27 June 2007 13:28
		Re: [NETFILTER] early_drop() imrovement (v4) By: Patrick McHardy on Wed, 27 June 2007 13:35
		Re: [NETFILTER] early_drop() imrovement (v4) By: Patrick McHardy on Wed, 27 June 2007 13:54
		Re: [NETFILTER] early_drop() imrovement (v4) By: Rusty Russell on Mon, 02 July 2007 19:56
		Re: [NETFILTER] early_drop() imrovement (v4) By: Patrick McHardy on Tue, 03 July 2007 11:42
		Re: [NETFILTER] early_drop() imrovement (v4) By: Martin Josefsson on Tue, 03 July 2007 06:39
		Re: [NETFILTER] early_drop() imrovement (v3) By: Jan Engelhardt on Mon, 25 June 2007 14:36

Previous Topic:	[PATCH 1/2] signal checkpoint: define /proc/pid/sig/
Next Topic:	[PATCH] .gitignore update

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Mon Feb 16 20:43:22 GMT 2026

Total time taken to generate the page: 0.23777 seconds