From: Eric Dumazet <dada1@cosmosbay.com>
To: David Miller <davem@davemloft.net>
Cc: nhorman@tuxdriver.com, netdev@vger.kernel.org,
kuznet@ms2.inr.ac.ru, pekkas@netcore.fi, jmorris@namei.org,
yoshfuji@linux-ipv6.org, kaber@trash.net,
Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Subject: Re: [PATCH] net: implement emergency route cache rebulds when gc_elasticity is exceeded
Date: Tue, 30 Sep 2008 19:16:50 +0200 [thread overview]
Message-ID: <48E25F02.8030303@cosmosbay.com> (raw)
In-Reply-To: <20080930.071023.07946874.davem@davemloft.net>
David Miller a écrit :
> From: Eric Dumazet <dada1@cosmosbay.com>
> Date: Tue, 30 Sep 2008 08:02:44 +0200
>
>> When a machine is targeted by a DDOS attack, about all slots of the
>> hash table are fully loaded (ie chain length >= elasticity). We dont
>> need to invalidate the cache, but find an equilibrium, with small
>> adjustements.
>
> Sure, but it is possible to determine that some hash chains
> are unevenly growing out of control compared to others,
> and that is the algorithm that Neil is trying to discover.
>
>
No problem, but my suggestion to use a separate threshold than elasticity
was apparently not taken into consideration.
I ran an experiment on a big stable machine with 2^19 rtcache slots,
scanning all chains and found *many* of them having length > elasticity,
maximum being 13. I am sure its allowed by statistics laws.
(average chain length : 3.55)
In order to avoid unecessary cache invalidation, we need some
calculation from a statistics expert.
Given rt_hash_size and elasticity (or rt_max_size), compute the "maximum reasonable"
chain length, ie some X number where probability(chain_length < X) > 0.9999
(CCed Evgeniy Polyakov :) )
MemTotal: 32963064 kB
8 CPUS
/proc/sys/net/ipv4/route/max_size:8388608 (default at boot time)
/proc/sys/net/ipv4/route/gc_thresh:2000000
/proc/sys/net/ipv4/route/gc_elasticity:4
/proc/sys/net/ipv4/route/gc_interval:1
Linux version 2.6.24.5
cat /proc/net/sockstat
sockets: used 957514
TCP: inuse 963998 orphan 7100 tw 10393 alloc 964646 mem 376389
rtstat -c5 -i5 (minus first sample)
rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|
entries| in_hit|in_slow_|in_slow_|in_no_ro| in_brd|in_marti|in_marti| out_hit|out_slow|out_slow|gc_total|gc_ignor|gc_goal_|gc_dst_o|in_hlist|out_hlis|
| | tot| mc| ute| | an_dst| an_src| | _tot| _mc| | ed| miss| verflow| _search|t_search|
1862477| 23758| 4400| 0| 0| 0| 0| 0| 4142| 1134| 0| 0| 0| 0| 0| 45754| 11785|
1863310| 24794| 4504| 0| 0| 0| 0| 0| 4089| 1183| 0| 0| 0| 0| 0| 47558| 11640|
1863604| 24183| 4383| 0| 0| 0| 0| 0| 3910| 1061| 0| 0| 0| 0| 0| 46002| 10819|
1864473| 23899| 4510| 0| 0| 0| 0| 0| 4113| 1193| 0| 0| 0| 0| 0| 46451| 11798|
grep ip_dst_cache /proc/slabinfo
ip_dst_cache 1863543 1868660 384 10 1 : tunables 0 0 0 : slabdata 186866 186866 0
On this machine, a single "ip route flush cache" is risky
(commit 29e75252da20f3ab9e132c68c9aed156b87beae6 [IPV4] route cache: Introduce rt_genid for smooth cache invalidation)
not yet included in kernel)
next prev parent reply other threads:[~2008-09-30 17:17 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-29 19:12 [PATCH] net: implement emergency route cache rebulds when gc_elasticity is exceeded Neil Horman
2008-09-29 20:22 ` Eric Dumazet
2008-09-29 20:27 ` Neil Horman
2008-09-29 21:00 ` Eric Dumazet
2008-09-29 22:38 ` Neil Horman
2008-09-30 6:02 ` Eric Dumazet
2008-09-30 11:23 ` Neil Horman
2008-09-30 14:10 ` David Miller
2008-09-30 17:16 ` Eric Dumazet [this message]
2008-09-30 18:42 ` Neil Horman
2008-10-02 7:16 ` Evgeniy Polyakov
2008-10-02 13:14 ` Neil Horman
2008-10-01 18:08 ` Neil Horman
2008-10-02 5:01 ` Bill Fink
2008-10-02 6:56 ` Eric Dumazet
2008-10-02 8:15 ` Eric Dumazet
2008-10-02 14:20 ` Eric Dumazet
2008-10-03 0:31 ` Neil Horman
2008-10-03 20:36 ` Neil Horman
2008-10-06 10:49 ` Eric Dumazet
2008-10-06 13:14 ` Neil Horman
2008-10-06 20:54 ` Neil Horman
2008-10-06 21:21 ` Eric Dumazet
2008-10-06 22:52 ` Neil Horman
2008-10-07 5:13 ` Eric Dumazet
2008-10-07 10:54 ` Neil Horman
2008-10-13 18:26 ` Neil Horman
2008-10-16 6:55 ` David Miller
2008-10-16 9:19 ` Eric Dumazet
2008-10-16 21:18 ` David Miller
2008-10-16 11:41 ` Neil Horman
2008-10-16 12:25 ` Eric Dumazet
2008-10-16 16:36 ` Neil Horman
2008-10-16 23:35 ` Neil Horman
2008-10-17 4:53 ` Eric Dumazet
2008-10-17 5:23 ` David Miller
2008-10-17 5:03 ` Stephen Hemminger
2008-10-17 5:06 ` Stephen Hemminger
2008-10-17 10:39 ` Neil Horman
[not found] ` <48F8806A.6090306@cosmosbay.com>
[not found] ` <20081017152328.GB23591@hmsreliant.think-freely.org>
[not found] ` <48F8AFBE.5080503@cosmosbay.com>
2008-10-17 20:44 ` Neil Horman
2008-10-18 0:54 ` Neil Horman
2008-10-18 4:36 ` Eric Dumazet
2008-10-18 13:30 ` Neil Horman
2008-10-20 0:07 ` Neil Horman
2008-10-20 8:12 ` Eric Dumazet
2008-10-27 19:28 ` David Miller
2008-10-02 7:13 ` Evgeniy Polyakov
2008-09-30 14:08 ` David Miller
2008-09-30 14:08 ` David Miller
2008-09-30 17:47 ` Eric Dumazet
2008-10-05 3:26 ` Herbert Xu
2008-10-05 4:45 ` Andrew Dickinson
2008-10-05 17:34 ` David Miller
2008-10-05 18:06 ` Andrew Dickinson
2008-10-06 4:21 ` Herbert Xu
2008-10-06 10:50 ` Neil Horman
2008-10-06 11:02 ` Herbert Xu
2008-10-06 12:43 ` Neil Horman
2008-09-30 14:17 ` Denis V. Lunev
2008-09-30 14:35 ` Neil Horman
2008-09-30 14:49 ` Denis V. Lunev
2008-10-05 3:17 ` Herbert Xu
2008-10-05 3:20 ` Herbert Xu
2008-10-06 0:52 ` Neil Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48E25F02.8030303@cosmosbay.com \
--to=dada1@cosmosbay.com \
--cc=davem@davemloft.net \
--cc=jmorris@namei.org \
--cc=johnpol@2ka.mipt.ru \
--cc=kaber@trash.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=pekkas@netcore.fi \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.