Re: [PATCH nf-next] netfilter: nf_conncount: make number of hash slots configurable

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Vladimir Vdovin <deliran@verdict.gg>
Cc: netfilter-devel@vger.kernel.org, pablo@netfilter.org,
	coreteam@netfilter.org, phil@nwl.cc
Subject: Re: [PATCH nf-next] netfilter: nf_conncount: make number of hash slots configurable
Date: Wed, 15 Apr 2026 16:43:06 +0200	[thread overview]
Message-ID: <ad-j-nLF-2TvicY9@strlen.de> (raw)
In-Reply-To: <ad-WSA87e6Ukfi3M@strlen.de>

Florian Westphal <fw@strlen.de> wrote:
> Vladimir Vdovin <deliran@verdict.gg> wrote:
> > > Maybe change the code to size the array dynamically
> > > based on e.g. number of online cpus?
> > Hi Florian,
> > 
> > May be we could move it to module params?
> > (not sure that this params have to depend on number of cpu)
> > May be use number of cpus as default value?
> 
> I would prefer autotuning based on online cpus so this doesn't have to
> be changed at all.

And we should also do something like this.
As-is, different netns will block same slot if the key is the same.
As OVS uses conntrack zones and those can easily overlap, they hash
to same slot internally even if they use different data structures
and could run in parallel.

diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index 00eed5b4d1b1..ab28b47395bd 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -58,6 +58,7 @@ static spinlock_t nf_conncount_locks[CONNCOUNT_SLOTS] __cacheline_aligned_in_smp
 
 struct nf_conncount_data {
 	unsigned int keylen;
+	u32 initval;
 	struct rb_root root[CONNCOUNT_SLOTS];
 	struct net *net;
 	struct work_struct gc_work;
@@ -65,7 +66,6 @@ struct nf_conncount_data {
 	unsigned int gc_tree;
 };
 
-static u_int32_t conncount_rnd __read_mostly;
 static struct kmem_cache *conncount_rb_cachep __read_mostly;
 static struct kmem_cache *conncount_conn_cachep __read_mostly;
 
@@ -496,7 +496,7 @@ count_tree(struct net *net,
 	struct nf_conncount_rb *rbconn;
 	unsigned int hash;
 
-	hash = jhash2(key, data->keylen, conncount_rnd) % CONNCOUNT_SLOTS;
+	hash = jhash2(key, data->keylen, data->initval) % CONNCOUNT_SLOTS;
 	root = &data->root[hash];
 
 	parent = rcu_dereference_raw(root->rb_node);
@@ -630,8 +630,6 @@ struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int keylen
 	    keylen == 0)
 		return ERR_PTR(-EINVAL);
 
-	net_get_random_once(&conncount_rnd, sizeof(conncount_rnd));
-
 	data = kmalloc_obj(*data);
 	if (!data)
 		return ERR_PTR(-ENOMEM);
@@ -641,6 +639,7 @@ struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int keylen
 
 	data->keylen = keylen / sizeof(u32);
 	data->net = net;
+	data->initval = get_random_u32();
 	INIT_WORK(&data->gc_work, tree_gc_worker);
 
 	return data;

     prev parent reply	other threads:[~2026-04-15 14:43 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-13 12:37 [PATCH nf-next] netfilter: nf_conncount: make number of hash slots configurable Vladimir Vdovin
2026-04-13 13:27 ` Fernando Fernandez Mancera
2026-04-15 13:29   ` Vladimir Vdovin
2026-04-13 14:26 ` Florian Westphal
2026-04-15 13:32   ` Vladimir Vdovin
2026-04-15 13:44     ` Florian Westphal
2026-04-15 14:10       ` Vladimir Vdovin
2026-04-15 14:43       ` Florian Westphal [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:00eed5b4d1b dfblob:ab28b47395b )
 OR (
bs:"Re: [PATCH nf-next] netfilter: nf_conncount: make number of hash slots configurable" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ad-j-nLF-2TvicY9@strlen.de \
    --to=fw@strlen.de \
    --cc=coreteam@netfilter.org \
    --cc=deliran@verdict.gg \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=phil@nwl.cc \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.