From: Patrick McHardy <kaber@trash.net>
To: Vasily Averin <vvs@sw.ru>
Cc: netfilter-devel@lists.netfilter.org, rusty@rustcorp.com.au,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Eric Dumazet <dada1@cosmosbay.com>,
Jan Engelhardt <jengelh@computergmbh.de>,
"David S. Miller" <davem@davemloft.net>,
devel@openvz.org
Subject: Re: [NETFILTER] early_drop() imrovement (v4)
Date: Wed, 27 Jun 2007 10:52:16 +0200 [thread overview]
Message-ID: <46822540.2010004@trash.net> (raw)
In-Reply-To: <468223D0.90305@sw.ru>
Vasily Averin wrote:
> When the number of conntracks is reached nf_conntrack_max limit, early_drop()
> tries to free one of already used conntracks. If it does not find any conntracks
> that may be freed, it leads to transmission errors.
> In current implementation the conntracks are searched in one hash bucket only.
> It have some drawbacks: if used hash bucket is empty we have not any chances to
> find something. On the other hand the hash bucket can contain a huge number of
> conntracks and its check can last a long time.
> The proposed patch limits the number of checked conntracks and allows to search
> conntracks in other hash buckets. As result in any case the search will have the
> same chances to free one of the conntracks and the check will not lead to long
> delays.
Thanks Vasily. I have some patches queued to convert all conntrack
hashes to hlists, which conflict with your patches. They need a bit
more work, I'll integrate your changes on top of them once I'm done.
BTW, I played around with your last patch yesterday and it shows
a big improvement when flooding the machine with new connections.
Previously about 5% of the (valid) new connections would get
dropped, with your patch not a single one :)
WARNING: multiple messages have this Message-ID (diff)
From: Patrick McHardy <kaber@trash.net>
To: Vasily Averin <vvs@sw.ru>
Cc: Eric Dumazet <dada1@cosmosbay.com>,
"David S. Miller" <davem@davemloft.net>,
netfilter-devel@lists.netfilter.org, rusty@rustcorp.com.au,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
devel@openvz.org, Jan Engelhardt <jengelh@computergmbh.de>
Subject: Re: [NETFILTER] early_drop() imrovement (v4)
Date: Wed, 27 Jun 2007 10:52:16 +0200 [thread overview]
Message-ID: <46822540.2010004@trash.net> (raw)
In-Reply-To: <468223D0.90305@sw.ru>
Vasily Averin wrote:
> When the number of conntracks is reached nf_conntrack_max limit, early_drop()
> tries to free one of already used conntracks. If it does not find any conntracks
> that may be freed, it leads to transmission errors.
> In current implementation the conntracks are searched in one hash bucket only.
> It have some drawbacks: if used hash bucket is empty we have not any chances to
> find something. On the other hand the hash bucket can contain a huge number of
> conntracks and its check can last a long time.
> The proposed patch limits the number of checked conntracks and allows to search
> conntracks in other hash buckets. As result in any case the search will have the
> same chances to free one of the conntracks and the check will not lead to long
> delays.
Thanks Vasily. I have some patches queued to convert all conntrack
hashes to hlists, which conflict with your patches. They need a bit
more work, I'll integrate your changes on top of them once I'm done.
BTW, I played around with your last patch yesterday and it shows
a big improvement when flooding the machine with new connections.
Previously about 5% of the (valid) new connections would get
dropped, with your patch not a single one :)
next prev parent reply other threads:[~2007-06-27 8:52 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-04-06 8:00 [PATCH 2.6.21-rc6] [netfilter] early_drop imrovement Vasily Averin
2007-04-06 8:24 ` Eric Dumazet
2007-04-06 10:26 ` Vasily Averin
2007-04-06 15:08 ` Patrick McHardy
2007-04-06 15:08 ` Patrick McHardy
2007-04-07 11:45 ` [PATCH nf-2.6.22] " Vasily Averin
2007-04-07 12:08 ` Eric Dumazet
2007-04-07 12:08 ` Eric Dumazet
2007-04-08 5:02 ` Vasily Averin
2007-05-09 6:59 ` [NETFILTER] early_drop() imrovement (v3) Vasily Averin
2007-06-25 13:53 ` Patrick McHardy
2007-06-25 14:36 ` Jan Engelhardt
2007-06-26 13:20 ` Vasily Averin
2007-06-26 13:27 ` Patrick McHardy
2007-06-27 8:46 ` [NETFILTER] early_drop() imrovement (v4) Vasily Averin
2007-06-27 8:52 ` Patrick McHardy [this message]
2007-06-27 8:52 ` Patrick McHardy
2007-06-27 12:04 ` Patrick McHardy
2007-06-27 12:29 ` Vasily Averin
2007-06-27 12:51 ` Patrick McHardy
2007-06-27 13:02 ` Vasily Averin
2007-06-27 13:18 ` Patrick McHardy
2007-06-27 13:23 ` Patrick McHardy
2007-06-27 13:25 ` Vasily Averin
2007-06-27 13:28 ` Patrick McHardy
2007-06-27 13:35 ` Patrick McHardy
2007-06-27 13:54 ` Patrick McHardy
2007-07-02 19:56 ` Rusty Russell
2007-07-03 6:39 ` Martin Josefsson
2007-07-03 11:42 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46822540.2010004@trash.net \
--to=kaber@trash.net \
--cc=dada1@cosmosbay.com \
--cc=davem@davemloft.net \
--cc=devel@openvz.org \
--cc=jengelh@computergmbh.de \
--cc=linux-kernel@vger.kernel.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=rusty@rustcorp.com.au \
--cc=vvs@sw.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.