Re: nf_conntrack [was Re: [PATCH 1/4] RFC: fast string matching infrastrure for netfilter]

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick Schaaf <bof@bof.de>
To: Rusty Russell <rusty@rustcorp.com.au>
Cc: Harald Welte <laforge@netfilter.org>,
	Netfilter Development Mailinglist
	<netfilter-devel@lists.netfilter.org>,
	Pablo Neira <pablo@eurodev.net>,
	Patrick McHardy <kaber@trash.net>,
	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Subject: Re: nf_conntrack [was Re: [PATCH 1/4] RFC: fast string matching infrastrure for netfilter]
Date: Fri, 14 Jan 2005 09:20:12 +0100	[thread overview]
Message-ID: <20050114082012.GA22042@oknodo.bof.de> (raw)
In-Reply-To: <1105686102.7311.101.camel@localhost.localdomain>

> 	timeout: move to a 32-bit seconds counter, and use a sweep-method to
> clean up connections rather than a timer per conn.  Save 28 bytes.

I don't like sweep...

This reminds me: what about my "timer management frequency reduction"
from longtimeago? Basic points:

1) Note that the normal, tcp stream, per-packet timer usually only increases,
   and is way out in the future (for ESTABLISHED connections).
2) Meditate
3) Have a store area for the jiffies target, per conntrack, which is
   independant of the kernel timer.
4) When the timeout jiffies target is set or modified, and the kernel timer
   is not already running, start it up, as usual. Also store the jiffies
   target in the conntrack.
5) When the timeout jiffies target changes, and we have an already running
   kernel timer, compare stored jiffies target with new jiffies target:
5a) New target is smaller than old target: store new target, modify kernel
    timer, as usual.
5b) New target is larger than old target: store new target. DONE.
6) when timeout happens, compare stored jiffies target to $now:
6a) If stored target and current time match (or stored is older),
    run the timer activity we have now, i.e. destroy conntrack, usually.
6b) If the stored target is in the future, restart kernel timer
    to the target time. DO NOT fire traditional timer activity.
7) Meditate
8) Note that the normal, tcp stream, per-packet timer usually only increases,
   and is way out in the future (for ESTABLISHED connections).

We'll save the whole kernel timer modification for each packet after the first,
for all usual ESTABLISHED connections. They'll only rearm their timer once
every few days.

I had this coded up and working (for some hours, on my box). Patch must be
somewhere in the archives...

> 	ip_nat_info: use hash tree.  Save 8 bytes.
> 	tuplehash: use hash tree, put proto in status word.  Save 24 bytes.

Umm. What exactly is meant with "hash tree", here?

best regards
  Patrick

next prev parent reply	other threads:[~2005-01-14  8:20 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-01-09 22:23 [PATCH 1/4] RFC: fast string matching infrastrure for netfilter Pablo Neira
2005-01-09 23:10 ` Patrick McHardy
2005-01-09 23:19   ` Pablo Neira
2005-01-10 19:54   ` nf_conntrack [was Re: [PATCH 1/4] RFC: fast string matching infrastrure for netfilter] Jozsef Kadlecsik
2005-01-10 20:31     ` Patrick McHardy
2005-01-10 21:28       ` Harald Welte
2005-01-14  2:45         ` Patrick McHardy
2005-01-14  4:31           ` nf_conntrack Yasuyuki KOZAKAI
2005-01-14  7:01           ` nf_conntrack [was Re: [PATCH 1/4] RFC: fast string matching infrastrure for netfilter] Rusty Russell
2005-01-14  8:20             ` Patrick Schaaf [this message]
2005-01-15 18:18               ` KOVACS Krisztian
2005-01-16 16:09                 ` Jozsef Kadlecsik
2005-01-14  8:37             ` Harald Welte
2005-01-14 10:22               ` Rusty Russell
2005-01-14 18:02               ` Patrick McHardy
2005-01-14 17:52             ` Patrick McHardy
2005-01-14  8:31           ` Harald Welte
2005-01-14 18:00             ` Patrick McHardy
2005-01-14  3:16         ` Patrick McHardy
2005-01-10 21:20     ` Harald Welte
2005-01-10  8:49 ` [PATCH 1/4] RFC: fast string matching infrastrure for netfilter Sven Schuster
2005-01-10 23:18   ` Pablo Neira
2005-01-10 10:06 ` Harald Welte

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050114082012.GA22042@oknodo.bof.de \
    --to=bof@bof.de \
    --cc=kaber@trash.net \
    --cc=kadlec@blackhole.kfki.hu \
    --cc=laforge@netfilter.org \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=pablo@eurodev.net \
    --cc=rusty@rustcorp.com.au \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.