From: Patrick Schaaf <bof@bof.de>
To: Don Cohen <don-netf@isis.cs3-inc.com>
Cc: Harald Welte <laforge@gnumonks.org>,
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
netfilter-devel@lists.netfilter.org
Subject: Re: conntrack hash function comparison
Date: Sat, 1 Feb 2003 07:57:01 +0100 [thread overview]
Message-ID: <20030201065701.GC23640@oknodo.bof.de> (raw)
In-Reply-To: <15931.6072.971476.262073@isis.cs3-inc.com>
On Fri, Jan 31, 2003 at 04:41:28PM -0800, Don Cohen wrote:
> Harald Welte writes:
> > not that I totally disagree with rehashing being a good idea... but in
> > the case you add this 'small piece of code', you also introduce a new
> > vulnerability: If somebody can provoke the firewall to rehash all the
> > time ;(
> The counter argument is that if they can do that then they have a way
> of causing lots of connections to go into the same bucket, and allowing
> that to happen is (at least in the extreme case) much worse than
> rehashing. Obviously it's also bad to rehash too eagerly.
> I think the only question is where to put the threshold.
I imagine that instead of, or in addition to, a threshold on list
lengths, I would like to have a "minimum time between rehashings" knob,
set to e.g. one hour. That way, the cost is guaranteed independant of
packet arrival rate. And, to practically disable rehashing, that knob
can be set to an immensely large value.
Hmm. Maybe even with a printk() 10 (N) minutes in advance, telling the
admin "I think I'm going to rehash a bit, soon".
No. Forget about all that.
1) metrics in /proc, including a "max list length during the last hour"
statistic.
2) one read/writable /proc entry, containing an integer: the number of
hash buckets. This is missing right now, anyway (have to grep the
boot messages). Make it writable, and rehash exactly when a write
changes the hash bucket count.
This way, the policy (when to rehash) is safely in user space, the
kernel gives mechanism, only - just like it should.
What do you think?
best regards
Patrick
next prev parent reply other threads:[~2003-02-01 6:57 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20030120232634.24011.21218.Mailman@kashyyyk>
2003-01-21 6:19 ` conntrack hash function comparison Don Cohen
2003-01-21 11:12 ` Jozsef Kadlecsik
2003-01-21 16:59 ` Don Cohen
2003-01-31 11:41 ` Harald Welte
2003-02-01 0:41 ` Don Cohen
2003-02-01 6:57 ` Patrick Schaaf [this message]
2003-02-01 7:58 ` Don Cohen
2003-02-01 8:37 ` Harald Welte
2003-02-01 19:05 ` Don Cohen
2003-02-02 22:45 ` Harald Welte
2003-01-21 6:40 ` Question: Variable sized matchinfo Don Cohen
2003-01-21 11:42 ` Patrick McHardy
2003-01-21 16:07 ` Laszlo Valko
2003-01-21 16:32 ` [OT " Patrick McHardy
2003-01-21 16:46 ` Laszlo Valko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030201065701.GC23640@oknodo.bof.de \
--to=bof@bof.de \
--cc=don-netf@isis.cs3-inc.com \
--cc=kadlec@blackhole.kfki.hu \
--cc=laforge@gnumonks.org \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.