From: Patrick McHardy <kaber@trash.net>
To: Patrick Schaaf <bof@bof.de>
Cc: netfilter-devel@lists.netfilter.org,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: Re: bloom filter in netfilter?
Date: Tue, 20 Mar 2007 16:43:30 +0100 [thread overview]
Message-ID: <46000122.2030005@trash.net> (raw)
In-Reply-To: <20070320153402.GA28954@oknodo.bof.de>
Patrick Schaaf wrote:
>>>We can't just get rid of it since bloom filters have false positives, so
>>>it could happen that we could miss some new connections that are not
>>>actually in the conntrack table.
>>
>>That wouldn't be a big problem in my opinion, you can freely tune the
>>probability.
>
>
> Wouldn't two conntrack entries in the hash for the same tuples be
> catastrophic somewhere? (I have no idea, actually)
Yes, but bloom filters only have false positives (already in
hash, so skip confirmation), never false negatives, so that
would still not happen.
> The other thing about bloom filters that worries me, having read
> the wikipedia entry, is that you cannot remove elements. Probability
> of false positives thus increases as conntracks are added. And a
> future repetition of exactly the same tuple would certainly be
> a false positive. Tuples repeat pretty fast with things like BGP,
> and a filter regeneration seems to involve shuffling all current
> conntracks into a fresh bloom filter.
>
> Either I misunderstand something fundamental, which is not
> unlikely, or that kills the idea.
You're right, tuple reuse is a problem, it seems counting bloom
filters would be needed to deal with that, which are a lot less
memory efficient. The increasing probabilities of false positives
with increasing number of entries could be dealt with by using a
second bloom filter that is filled with new entries once a low
threshold is exceeded and replaces the active one once a high
threshold is exceeded.
I have to admit that I'm a huge fan of bloom filters and always
wanted to use them for something cool :)
next prev parent reply other threads:[~2007-03-20 15:43 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-20 15:07 bloom filter in netfilter? Sebastien Tandel
2007-03-20 15:20 ` Patrick McHardy
2007-03-20 15:25 ` Pablo Neira Ayuso
2007-03-20 15:26 ` Patrick McHardy
2007-03-20 15:34 ` Patrick Schaaf
2007-03-20 15:43 ` Patrick McHardy [this message]
-- strict thread matches above, loose matches on Subject: below --
2007-03-20 16:31 Robert Iakobashvili
2007-03-20 16:37 [Fwd: Re: bloom filter in netfilter?] Sebastien Tandel
2007-03-20 19:27 ` bloom filter in netfilter? Pablo Neira Ayuso
2007-03-20 21:41 ` Sebastien Tandel
2007-03-21 12:45 ` Sebastien Tandel
2007-03-21 12:46 ` Sebastien Tandel
2007-03-21 15:00 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46000122.2030005@trash.net \
--to=kaber@trash.net \
--cc=bof@bof.de \
--cc=netfilter-devel@lists.netfilter.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.