Re: [PATCH] aggressive early_drop and reserved conntrack entries

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick Schaaf <bof@bof.de>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter-devel@lists.netfilter.org, Patrick Schaaf <bof@bof.de>,
	Grzegorz Piotr Jaskiewicz <gj@pointblue.com.pl>
Subject: Re: [PATCH] aggressive early_drop and reserved conntrack entries
Date: Thu, 9 Dec 2004 12:29:13 +0100	[thread overview]
Message-ID: <20041209112913.GA31497@oknodo.bof.de> (raw)
In-Reply-To: <Pine.LNX.4.58.0412091108420.11649@blackhole.kfki.hu>

Hi Jozsef,

> > > - When the conntrack table is full, we search only in a single hash
> > >   bucket. We are in trouble anyway, so let's search harder for
> > >   droppable entries: the patch extends the search to at most the third of
> > >   all the buckets.
> >
> > Hmm. It's correct that we are in trouble anyway, but will it help burning
> > much more CPU to get out of trouble?
> 
> How could we lessen the trouble we are in? By refusing to add the new
> connection to the table after failing to find an unreplied connection
> in one bucket, or searching more with the price of spinning the CPU a
> little further?

Well, the way I see it, the primary task, under pressure, is still to
run ASSURED connections as good as possible. Burning more CPU in
early_drop for each new potential connection (at possibly high rate,
when under a real DoS attempt), will take significant time from routing
ASSURED connection's packets.

best regards
  Patrick

next prev parent reply	other threads:[~2004-12-09 11:29 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-12-09  8:34 [PATCH] aggressive early_drop and reserved conntrack entries Jozsef Kadlecsik
2004-12-09  8:52 ` Patrick Schaaf
2004-12-09 10:34   ` Jozsef Kadlecsik
2004-12-09 11:29     ` Patrick Schaaf [this message]
2004-12-10 22:27     ` Jozsef Kadlecsik
2004-12-11 13:34       ` Martin Josefsson
2004-12-11 13:39         ` Martin Josefsson
2004-12-11 16:56         ` Jozsef Kadlecsik
2004-12-12 11:40           ` Henrik Nordstrom
2004-12-13 21:52             ` Jozsef Kadlecsik
2004-12-13 12:14           ` Jozsef Kadlecsik
2004-12-13 13:25             ` Martin Josefsson
2004-12-09 12:25 ` Grzegorz Piotr Jaskiewicz
2004-12-09 13:21   ` Jozsef Kadlecsik
2004-12-16 12:31 ` Harald Welte

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20041209112913.GA31497@oknodo.bof.de \
    --to=bof@bof.de \
    --cc=gj@pointblue.com.pl \
    --cc=kadlec@blackhole.kfki.hu \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.