Re: R:Re: Questions about early_drop()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: pesce.luca@gmail.com
Cc: netfilter-devel@vger.kernel.org
Subject: Re: R:Re: Questions about early_drop()
Date: Thu, 05 Nov 2009 13:23:56 +0100	[thread overview]
Message-ID: <4AF2C3DC.7070200@trash.net> (raw)
In-Reply-To: <0016e6d7ea70951fbb04779150de@google.com>

pesce.luca@gmail.com wrote:
> Hi Patrick,
> thanks for the explanation. The only thing I do not understand is:
> 
>> It does greatly improve robustness under DoS since with jhash() and a
>> properly sized
>> hash table there's likely only a single entry per bucket.
> 
> I understand that this comes from hash tables theory, but I don't get
> it... When conntrack_core module is loaded, the maximum number of
> conntrack entries is calculated as (hashsize * 8), so when early_drop()
> kicks in, the table is full and is containing (hashsize*8) entries...
> how is it possible that in that situation every bucket contains just one
> entry? Shouldn't it contain about 8 entries, as a mean value?

The default is not properly sized, its a trade-off between memory
use and performance. A good size would be 2 * max_entries since
each conntrack is hashed twice.

next      parent reply	other threads:[~2009-11-05 12:23 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <0016e6d7ea70951fbb04779150de@google.com>
2009-11-05 12:23 ` Patrick McHardy [this message]
2009-11-07 15:29   ` R:Re: Questions about early_drop() Luca Pesce

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4AF2C3DC.7070200@trash.net \
    --to=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pesce.luca@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.