Re: [PATCH nf] netfilter: nf_conncount: increase connection clean up limit to 64

[Florian Westphal <fw@strlen.de>]

Fernando Fernandez Mancera <fmancera@suse.de> wrote:
> After the optimization to only perform one GC per jiffy, a new problem
> was introduced. If more than 8 new connections are tracked per jiffy the
> list won't be cleaned up fast enough possibly reaching the limit
> wrongly.
> 
> In order to prevent this issue, increase the clean up limit to 64
> connections so it is easier for conncount to keep up with the new
> connections tracked per jiffy rate.

But that doesn't solve the issue, no?
Now its the same as before, just with 64 instead of 8.

I think that more work is needed.

>  /* we will save the tuples of all connections we care about */
>  struct nf_conncount_tuple {
> @@ -187,7 +188,7 @@ static int __nf_conncount_add(struct net *net,
>  
>  	/* check the saved connections */
>  	list_for_each_entry_safe(conn, conn_n, &list->head, node) {
> -		if (collect > CONNCOUNT_GC_MAX_NODES)
> +		if (collect > CONNCOUNT_GC_MAX_COLLECT)
>  			break;

I see several options.
One idea that comes to mind:

1. In nf_conncount_list, add "unsigned int scanned".
2. in __nf_conncount_add, move alive elements to the tail.
3. For each alive element, increment ->scanned.
4. break if scanned >= list->count.
5. only set last_gc if "->scanned >= list->count" (and set scanned to 0).

Before this only-one-gc-run-per-jiffy we always collected for each new
tracked entry, and hence we never had the "fills up" problem.

Maybe it would be possible to also apply this scheme to gc_list()
helper.