From: Patrick Schaaf <bof@bof.de>
To: Patrick Schaaf <bof@bof.de>
Cc: Don Cohen <don-nf@isis.cs3-inc.com>, netfilter-devel@lists.samba.org
Subject: Re: conntrack performance/DoS formula
Date: Sat, 29 Jun 2002 14:34:06 +0200 [thread overview]
Message-ID: <20020629143406.O4136@oknodo.bof.de> (raw)
In-Reply-To: <20020629140729.N4136@oknodo.bof.de>; from bof@bof.de on Sat, Jun 29, 2002 at 02:07:29PM +0200
[-- Attachment #1: Type: text/plain, Size: 811 bytes --]
Hi again,
one more elaboration of the cttest program, before I go offline in preparation
for the fourth German football world championship...
This version adds a '-b X' option. If you specify that, all TCP conntracks
with timeouts less than X get ignored. For example, use "-b 431940" to only
count the conntracks active within the last 60 seconds.
Incidentally, this makes the current ip_conntrack hash function look a lot
less bad than before. I appears that the "long bucket" packets mostly belong
to some kind of port scan. They will time out eventually, and they will NOT
contribute significantly to CPU usage, because they will be rarely hit.
All is well, it seems. At least looking at my 33000 entry sample from
yesterday. I'm looking forward to results from other workloads!
best regards
Patrick
[-- Attachment #2: cttest.c --]
[-- Type: text/plain, Size: 6095 bytes --]
/* cttest.c - parse /proc/net/ip_conntrack, compute bucket occupation
*
* This is how lines look:
*
* udp 17 0 src=213.6.73.215 dst=62.104.191.241 sport=1858 dport=53 src=62.104.191.241 dst=213.6.73.215 sport=53 dport=1858 use=1
* tcp 6 114 TIME_WAIT src=62.104.211.64 dst=212.7.144.66 sport=34685 dport=80 src=212.7.144.66 dst=62.104.211.64 sport=80 dport=34685 [ASSURED] use=1
*/
#include <stdio.h>
#include <string.h>
#include <malloc.h>
#include <stdlib.h>
#include <getopt.h>
#include <errno.h>
#include <netinet/in.h>
#include <arpa/inet.h>
typedef unsigned long u32;
typedef unsigned short u16;
typedef unsigned char u8;
struct ct_key {
u32 sip;
u32 dip;
u16 sport;
u16 dport;
u8 proto;
};
static u32 hash_conntrack(struct ct_key *key)
{
return ntohl(key->sip + key->dip
+ key->sport + key->dport
+ key->proto)
+ ntohs(key->sport);
}
#include "crc32.c"
static u32 hash_crc32(struct ct_key *key)
{
u32 crc = crc32(0, (const char *) &key->proto, sizeof(key->proto));
u32 v32;
u16 v16;
v32 = ntohl(key->sip);
crc = crc32(crc, (const char *) &v32, sizeof(v32));
v32 = ntohl(key->dip);
crc = crc32(crc, (const char *) &v32, sizeof(v32));
v16 = ntohs(key->sport);
crc = crc32(crc, (const char *) &v16, sizeof(v16));
v16 = ntohs(key->dport);
crc = crc32(crc, (const char *) &v16, sizeof(v16));
return crc;
}
static u32 hash_random(struct ct_key *key)
{
return (u32) random();
}
struct hash_def {
char *name;
u32 (*hash_f)(struct ct_key *);
};
#define NR_HASHES (sizeof(hashes)/sizeof(hashes[0]))
static struct hash_def hashes[] = {
{ "original", hash_conntrack },
{ "random", hash_random },
{ "crc32", hash_crc32 },
};
static u32 htable_size = 7168;
static u32 *occupation;
static struct hash_def *test_hash = hashes;
static void do_init(void)
{
u32 idx;
occupation = malloc(sizeof(*occupation) * htable_size);
for (idx=0; idx<htable_size; idx++)
occupation[idx] = 0;
}
static int display_target = -1;
static int do_count(struct ct_key *key)
{
u32 idx = test_hash->hash_f(key) % htable_size;
occupation[idx]++;
return ((int)idx) == display_target;
}
static u32 parse_ip(char *t)
{
char *p = strchr(t, '=');
if (!p++) return 0;
return inet_addr(p);
}
static u16 parse_port(char *t)
{
char *p = strchr(t, '=');
if (!p++) return 0;
return (u16) strtoul(p, 0, 10);
}
static u32 ignore_tcp_timeout_bound = 0;
static int ignore_by_timeout(struct ct_key *key, char *tok)
{
return key->proto == 6
&& strtoul(tok, 0, 10) < ignore_tcp_timeout_bound;
}
static int unidir;
static int process(char *p)
{
struct ct_key key[1];
char *tok;
int res;
strtok(p, " \t\n"); /* prot text */
tok = strtok(0, " \t\n");
key->proto = (u8) strtoul(tok, 0, 10); /* prot num */
tok = strtok(0, " \t\n"); /* timeout */
if (ignore_by_timeout(key, tok)) return 0;
switch (key->proto) {
case 6: strtok(0, " \t\n"); /* tcp state */
case 17: break;
default: return 0;
}
/* forward */
tok = strtok(0, " \t\n"); key->sip = parse_ip(tok); /* src ip */
tok = strtok(0, " \t\n"); key->dip = parse_ip(tok); /* dst ip */
tok = strtok(0, " \t\n"); key->sport = parse_port(tok); /* src port */
tok = strtok(0, " \t\n"); key->dport = parse_port(tok); /* dst port */
res = do_count(key);
if (unidir) return res;
/* reverse */
tok = strtok(0, " \t\n"); key->sip = parse_ip(tok); /* src ip */
tok = strtok(0, " \t\n"); key->dip = parse_ip(tok); /* dst ip */
tok = strtok(0, " \t\n"); key->sport = parse_port(tok); /* src port */
tok = strtok(0, " \t\n"); key->dport = parse_port(tok); /* dst port */
return res | do_count(key);
}
static int occupation_target = -1;
static void show_occupation(void)
{
u32 idx, maxlen, total, partial, *agg;
for (maxlen=0, total=0, idx=0; idx<htable_size; idx++) {
total += occupation[idx];
if (occupation[idx] > maxlen)
maxlen = occupation[idx];
}
printf("hash function: %s\n", test_hash->name);
printf("maximum bucket list length: %lu\n", maxlen);
printf("total number of entries: %lu\n", total);
agg = malloc(sizeof(*agg) * (maxlen+1));
for (idx=0; idx<=maxlen; idx++)
agg[idx] = 0;
for (idx=0; idx<htable_size; idx++) {
agg[occupation[idx]]++;
if (((int)occupation[idx]) == occupation_target) {
printf("occupation target %d at %lu\n",
occupation_target, idx);
occupation_target = -1;
}
}
printf("Count\tLength\tCT\n");
for (partial=0, idx=maxlen; idx>0; idx--) {
double d;
if (agg[idx] == 0) continue;
partial += idx * agg[idx];
d = (100.0 * partial) / (1.0 * total);
printf("%lu\t%lu\t%.02f%%\n", agg[idx], idx, d);
}
printf("%lu\t0\t100.00%%\n", agg[idx]);
}
static struct hash_def *find_hash(char *name)
{
u32 idx;
for (idx=0; idx<NR_HASHES; idx++)
if (0 == strcmp(name, hashes[idx].name))
return hashes+idx;
fprintf(stderr, "no hash function named '%s'\n", name);
return 0;
}
static void usage(void)
{
fprintf(stderr, "Usage: not written\n");
exit(1);
}
int main(int argc, char **argv)
{
int c;
char buf[512], copy[512];
char *filename = "/proc/net/ip_conntrack";
FILE *fp;
while (EOF != (c = getopt(argc, argv, "f:us:h:i:t:b:"))) switch(c) {
case 'f': filename = optarg; break;
case 'u': unidir = 1; break;
case 's': htable_size = strtoul(optarg, 0, 10); break;
case 'h': test_hash = find_hash(optarg); break;
case 'i': display_target = strtol(optarg, 0, 10); break;
case 't': occupation_target = strtol(optarg, 0, 10); break;
case 'b': ignore_tcp_timeout_bound = strtoul(optarg, 0, 10); break;
default: usage();
}
if (!test_hash) return 1;
fp = (0 == strcmp(filename, "-")) ? stdin : fopen(filename, "r");
if (!fp) {
fprintf(stderr, "%s: %s\n", filename, strerror(errno));
exit(1);
}
printf("filename: %s\n", filename);
if (ignore_tcp_timeout_bound)
printf("ignore TCP conntracks with timeout less than %lu\n",
ignore_tcp_timeout_bound);
do_init();
while (fgets(buf, sizeof(buf), fp)) {
if (display_target != -1)
strcpy(copy, buf);
if (process(buf))
printf("[%d]\t%s", display_target, copy);
}
if (fp != stdin) fclose(fp);
show_occupation();
return 0;
}
[-- Attachment #3: crc32.c --]
[-- Type: text/plain, Size: 4400 bytes --]
/* crc32.c -- compute the CRC-32 of a data stream
* Copyright (C) 1995-2002 Mark Adler
* stolen from zlib CVS
*/
/* @(#) $Id: crc32.c,v 1.2.2.1 2002/03/12 09:34:29 werner Exp $ */
/* ========================================================================
* Table of CRC-32's of all single-byte values (made by make_crc_table)
*/
static const u32 crc_table[256] = {
0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L,
0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L,
0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L,
0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL,
0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L,
0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L,
0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L,
0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL,
0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L,
0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL,
0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L,
0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L,
0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L,
0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL,
0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL,
0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L,
0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL,
0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L,
0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L,
0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L,
0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL,
0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L,
0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L,
0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL,
0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L,
0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L,
0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L,
0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L,
0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L,
0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL,
0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL,
0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L,
0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L,
0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL,
0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL,
0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L,
0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL,
0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L,
0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL,
0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L,
0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL,
0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L,
0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L,
0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL,
0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L,
0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L,
0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L,
0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L,
0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L,
0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L,
0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL,
0x2d02ef8dL
};
/* ========================================================================= */
#define DO1(buf) crc = crc_table[((int)crc ^ (*buf++)) & 0xff] ^ (crc >> 8);
#define DO2(buf) DO1(buf); DO1(buf);
#define DO4(buf) DO2(buf); DO2(buf);
#define DO8(buf) DO4(buf); DO4(buf);
/* ========================================================================= */
u32 crc32(crc, buf, len)
u32 crc;
const char *buf;
int len;
{
crc = crc ^ 0xffffffffL;
while (len >= 8)
{
DO8(buf);
len -= 8;
}
if (len) do {
DO1(buf);
} while (--len);
return crc ^ 0xffffffffL;
}
next prev parent reply other threads:[~2002-06-29 12:34 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-27 20:46 conntrack performance/DoS formula Don Cohen
2002-06-28 6:23 ` Patrick Schaaf
2002-06-28 17:53 ` Don Cohen
2002-06-28 18:36 ` Patrick Schaaf
2002-06-28 19:03 ` Don Cohen
2002-06-28 19:35 ` Patrick Schaaf
2002-06-28 19:39 ` Patrick Schaaf
2002-06-28 21:10 ` Don Cohen
2002-06-28 21:28 ` Patrick Schaaf
2002-06-28 21:49 ` Don Cohen
2002-06-28 22:30 ` Don Cohen
2002-06-29 9:03 ` Patrick Schaaf
2002-06-29 16:48 ` Don Cohen
2002-06-29 17:22 ` Patrick Schaaf
2002-07-05 13:47 ` Harald Welte
2002-06-29 17:33 ` Patrick Schaaf
2002-06-29 9:29 ` Patrick Schaaf
2002-06-29 12:07 ` Patrick Schaaf
2002-06-29 12:34 ` Patrick Schaaf [this message]
2002-06-30 8:31 ` Patrick Schaaf
2002-06-30 19:40 ` Don Cohen
2002-07-01 8:07 ` Henrik Nordstrom
2002-07-01 17:49 ` Don Cohen
2002-07-02 7:58 ` Henrik Nordstrom
[not found] ` <15652.38084.704660.234319@isis.cs3-inc.com>
2002-07-04 21:53 ` Henrik Nordstrom
2002-07-05 7:08 ` Don Cohen
2002-07-05 11:41 ` Henrik Nordstrom
2002-07-06 2:49 ` Don Cohen
2002-07-02 14:55 ` Harald Welte
2002-07-02 14:40 ` Harald Welte
2002-07-02 16:32 ` Patrick Schaaf
2002-07-02 16:35 ` Patrick Schaaf
2002-07-02 16:53 ` Henrik Nordstrom
2002-07-02 17:48 ` Don Cohen
2002-07-02 18:31 ` Patrick Schaaf
2002-07-02 21:52 ` cttest-0.1 Patrick Schaaf
2002-07-03 4:15 ` cttest-0.1 Joakim Axelsson
2002-07-05 15:37 ` cttest-0.1 Martin Josefsson
2002-07-05 16:10 ` cttest-0.1 Joakim Axelsson
2002-07-05 16:54 ` cttest-0.1 Patrick Schaaf
2002-07-05 16:53 ` cttest-0.1 Joakim Axelsson
2002-07-06 6:10 ` cttest-0.1 Andrew Smith
2002-07-06 7:12 ` cttest-0.1 Patrick Schaaf
2002-07-06 15:23 ` cttest-0.1 Patrick Schaaf
2002-07-06 21:14 ` cttest-0.1 Joakim Axelsson
2002-07-06 22:41 ` cttest-0.1 Joakim Axelsson
2002-07-06 23:16 ` cttest-0.1 Joakim Axelsson
2002-07-07 2:30 ` cttest-0.1 Svenning Sorensen
2002-07-07 4:23 ` cttest-0.1 Joakim Axelsson
2002-07-07 5:46 ` cttest-0.1 Joakim Axelsson
2002-07-07 11:00 ` cttest-0.1 Henrik Nordstrom
2002-07-06 22:54 ` cttest-0.1 Joakim Axelsson
2002-07-02 14:38 ` conntrack performance/DoS formula Harald Welte
[not found] <20020701121404.B78724512@lists.samba.org>
2002-07-01 21:30 ` Don Cohen
2002-07-02 6:05 ` Patrick Schaaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20020629143406.O4136@oknodo.bof.de \
--to=bof@bof.de \
--cc=don-nf@isis.cs3-inc.com \
--cc=netfilter-devel@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.