Re: [PATCH nf] netfilter: nf_conncount: increase connection clean up limit to 64

[Florian Westphal <fw@strlen.de>]

Fernando Fernandez Mancera <fmancera@suse.de> wrote:
> This sounds quite expensive to me. What about the following solution?
> 
> 1. In nf_conncount_list, add "unsigned int last_gc_count"
> 2. In __nf_connncount_add the optimization would look like this:
> 
> 	if ((u32)jiffies == list->last_gc && (list->count - list->last_gc_count) >=
> CONNCOUNT_GC_MAX_NODES - 1)
> 	goto add_new_node;

Won't that rescan the same entries for as long as the condition
persists?

That was the reason for the move-to-tail, so we start with something
that we did not scan yet.

> 3. After gc, we update the list->last_gc_count.
> 
> This way we make sure the optimization is not done if 7 or more connections
> were added to the list.

How many entries could be expected per seconds?  I think "tens of
thousands" is possible. If not, then just increasing the GC_MAX_NODES
would work.

If we can't make this work, no choice but to add a destructor callback
to conntrack... I very much dislike that idea.

> It should ensure that the list does not fill up. For
> better optimization, we can increase the number to 64 as I proposed. The
> solution you proposed works too but I am worried that it will trigger a CPU
> lockup for a big amount of connections..

You could add "start = jiffies" and break on "jiffies != start",
which would split the gc over multiple add requests.