From: Greg KH <greg@kroah.com>
To: Florian Westphal <fw@strlen.de>
Cc: stable@vger.kernel.org, g.nault@alphalink.fr, pablo@netfilter.org
Subject: Re: [PATCH 4.9.y] netfilter: nat: Revert "netfilter: nat: convert nat bysrc hash to rhashtable"
Date: Mon, 13 Nov 2017 09:36:49 +0100 [thread overview]
Message-ID: <20171113083649.GC22719@kroah.com> (raw)
In-Reply-To: <20171112202347.14762-1-fw@strlen.de>
On Sun, Nov 12, 2017 at 09:23:47PM +0100, Florian Westphal wrote:
> commit e1bf1687740ce1a3598a1c5e452b852ff2190682 upstream.
>
> This reverts commit 870190a9ec9075205c0fa795a09fa931694a3ff1.
>
> It was not a good idea. The custom hash table was a much better
> fit for this purpose.
>
> A fast lookup is not essential, in fact for most cases there is no lookup
> at all because original tuple is not taken and can be used as-is.
> What needs to be fast is insertion and deletion.
>
> rhlist removal however requires a rhlist walk.
> We can have thousands of entries in such a list if source port/addresses
> are reused for multiple flows, if this happens removal requests are so
> expensive that deletions of a few thousand flows can take several
> seconds(!).
>
> The advantages that we got from rhashtable are:
> 1) table auto-sizing
> 2) multiple locks
>
> 1) would be nice to have, but it is not essential as we have at
> most one lookup per new flow, so even a million flows in the bysource
> table are not a problem compared to current deletion cost.
> 2) is easy to add to custom hash table.
>
> I tried to add hlist_node to rhlist to speed up rhltable_remove but this
> isn't doable without changing semantics. rhltable_remove_fast will
> check that the to-be-deleted object is part of the table and that
> requires a list walk that we want to avoid.
>
> Furthermore, using hlist_node increases size of struct rhlist_head, which
> in turn increases nf_conn size.
>
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=196821
> Reported-by: Ivan Babrou <ibobrik@gmail.com>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> Hi Greg,
>
> this is a 4.9.y backport of the same revert that already went into 4.13.y;
> please consider applying this. I briefly tested this in kvm, at very least
> it doesn't break nat redirect in obvious ways...
Very nice, thanks for this, now queued up.
greg k-h
next prev parent reply other threads:[~2017-11-13 8:36 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-12 20:23 [PATCH 4.9.y] netfilter: nat: Revert "netfilter: nat: convert nat bysrc hash to rhashtable" Florian Westphal
2017-11-13 8:36 ` Greg KH [this message]
2017-11-14 7:07 ` Sebastian Gottschall
2017-11-14 11:05 ` Florian Westphal
2017-11-14 11:54 ` Guillaume Nault
2017-11-14 19:30 ` Guillaume Nault
2017-11-14 22:16 ` Sebastian Gottschall
2017-11-14 22:44 ` Sebastian Gottschall
2017-11-15 10:13 ` Florian Westphal
2017-11-15 14:04 ` Greg Kroah-Hartman
2017-11-15 14:16 ` Pablo Neira Ayuso
2017-11-15 14:51 ` Greg Kroah-Hartman
2017-11-15 22:57 ` Sebastian Gottschall
2017-11-15 14:11 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171113083649.GC22719@kroah.com \
--to=greg@kroah.com \
--cc=fw@strlen.de \
--cc=g.nault@alphalink.fr \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.