From: Grzegorz Piotr Jaskiewicz <gj@kde.org.uk>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: [PATCH] aggressive early_drop and reserved conntrack entries
Date: Thu, 09 Dec 2004 13:25:37 +0100 [thread overview]
Message-ID: <41B84441.7080402@kde.org.uk> (raw)
In-Reply-To: <Pine.LNX.4.58.0412090845060.11649@blackhole.kfki.hu>
Jozsef Kadlecsik wrote:
> Hi,
>
> The included patch addresses the following issues:
>
> - When the conntrack table is full, we search only in a single hash
> bucket. We are in trouble anyway, so let's search harder for
> droppable entries: the patch extends the search to at most the third of
> all the buckets.
> - If the conntrack table is full, the remote management of the machine
> becomes a little bit complicated :-). The patch adds the ability to
> reserve a given number of entries to be used for management connections.
> The following proc entries are added to /proc/sys/net/ipv4/netfilter:
That is a good idea, but asside that I think that we need some kind of
'grabage collector' that is going to remove the oldests connections from
the hash to make space for those new. This sounds a bit more
complicated, I know, maybe someone has a better idea about it.
But to be honest letting someone to manage computer remotely is the one
thing, and letting system to solve the problem on its own is another.
Now that you can get in, tell me what you can do ?
You can resize hash table size for instance, but so can netfilter on its
own in case hash is filled to the brim.
So there are 2 ideas, either let it resize hash table by some value, but
that would have it maximum too. You can also forget oldest connections,
and spare memory for new ones.
--
GJ
next prev parent reply other threads:[~2004-12-09 12:25 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-09 8:34 [PATCH] aggressive early_drop and reserved conntrack entries Jozsef Kadlecsik
2004-12-09 8:52 ` Patrick Schaaf
2004-12-09 10:34 ` Jozsef Kadlecsik
2004-12-09 11:29 ` Patrick Schaaf
2004-12-10 22:27 ` Jozsef Kadlecsik
2004-12-11 13:34 ` Martin Josefsson
2004-12-11 13:39 ` Martin Josefsson
2004-12-11 16:56 ` Jozsef Kadlecsik
2004-12-12 11:40 ` Henrik Nordstrom
2004-12-13 21:52 ` Jozsef Kadlecsik
2004-12-13 12:14 ` Jozsef Kadlecsik
2004-12-13 13:25 ` Martin Josefsson
2004-12-09 12:25 ` Grzegorz Piotr Jaskiewicz [this message]
2004-12-09 13:21 ` Jozsef Kadlecsik
2004-12-16 12:31 ` Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41B84441.7080402@kde.org.uk \
--to=gj@kde.org.uk \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.