Re: [PATCH] netfilter: remove extra timer from ecache extension

[Florian Westphal <fw@strlen.de>]

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > Instead we use a per-ns tasklet to re-trigger event delivery.
> > When we enqueue a ct entry into the dying list, the tasklet
> > is scheduled.
> > 
> > The tasklet will then deliver up to 20 entries.  It will
> > re-sched itself if not all the pending events could be delivered.
> 
> I would like to give a test to this patch in my testbed.

That would be great.

I can re-spin the patch on top of your dying-list changes, if
you prefer to test all patches at the same time.

> And I wonder if we can make it better with some timer-based garbage
> collector that randomly / adaptively runs to give tries to deliver
> events.
> 
> I remember that insisting too often in the delivery of missed events
> does not make any good.

Yes, from my tests only very few attempts are successful.

However, I've failed to come up with a scheme where events
are re-tried in a timely manner without risk of acummulating
a large event/entry backlog.

> >  Note: Conflicts with "improve conntrack object traceability".
> > 
> >  The patch assumes the dying list only contains entries where the delete
> >  event has not been delivered yet.
> > 
> >  With that patch, all conntracks are put on the dying list, including
> >  those who are about to be free'd.
> > 
> >  I THINK that this is fixable by skipping dying-list entries with
> >  IPS_DYING_BIT set.  However, this will increase the tasket workload.
> 
> I think you will mostly find entries that are waiting for its event to
> be delivered. So playing with IPS_DYING_BIT seems the right way to go
> to me.

Perfect.  Thats what I'll do, then.