* [PATCH nf-next] netfilter: nf_conncount: make number of hash slots configurable
@ 2026-04-13 12:37 Vladimir Vdovin
2026-04-13 13:27 ` Fernando Fernandez Mancera
2026-04-13 14:26 ` Florian Westphal
0 siblings, 2 replies; 8+ messages in thread
From: Vladimir Vdovin @ 2026-04-13 12:37 UTC (permalink / raw)
To: netfilter-devel; +Cc: Vladimir Vdovin, pablo, fw, coreteam, phil
Some workloads with high conntrack rate
generate high lock contention on insert_tree(), so
constant 256 CONNCOUNT_SLOTS can be too small.
Signed-off-by: Vladimir Vdovin <deliran@verdict.gg>
---
net/netfilter/Kconfig | 12 ++++++++++++
net/netfilter/nf_conncount.c | 2 +-
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 6cdc994fdc8a..38df2829d4d6 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -111,6 +111,18 @@ if NF_CONNTRACK
config NETFILTER_CONNCOUNT
tristate
+config NF_CONNCOUNT_SLOTS
+ int "Number of hash slots for nf_conncount"
+ depends on NF_CONNTRACK
+ default 256
+ range 1 4096
+ help
+ Number of hash slots used by the nf_conncount module.
+ Each slot has its own spinlock and rb-tree, so increasing
+ this value reduces lock contention at the cost of additional
+ memory.
+ Default is 256. Allowed range: 1 - 4096.
+
config NF_CONNTRACK_MARK
bool 'Connection mark tracking support'
depends on NETFILTER_ADVANCED
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index 00eed5b4d1b1..bdb9081a6c05 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -32,7 +32,7 @@
#include <net/netfilter/nf_conntrack_tuple.h>
#include <net/netfilter/nf_conntrack_zones.h>
-#define CONNCOUNT_SLOTS 256U
+#define CONNCOUNT_SLOTS CONFIG_NF_CONNCOUNT_SLOTS
#define CONNCOUNT_GC_MAX_NODES 8
#define CONNCOUNT_GC_MAX_COLLECT 64
base-commit: 028ef9c96e96197026887c0f092424679298aae8
--
2.47.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH nf-next] netfilter: nf_conncount: make number of hash slots configurable
2026-04-13 12:37 [PATCH nf-next] netfilter: nf_conncount: make number of hash slots configurable Vladimir Vdovin
@ 2026-04-13 13:27 ` Fernando Fernandez Mancera
2026-04-15 13:29 ` Vladimir Vdovin
2026-04-13 14:26 ` Florian Westphal
1 sibling, 1 reply; 8+ messages in thread
From: Fernando Fernandez Mancera @ 2026-04-13 13:27 UTC (permalink / raw)
To: Vladimir Vdovin, netfilter-devel; +Cc: pablo, fw, coreteam, phil
On 4/13/26 2:37 PM, Vladimir Vdovin wrote:
> Some workloads with high conntrack rate
> generate high lock contention on insert_tree(), so
> constant 256 CONNCOUNT_SLOTS can be too small.
>
> Signed-off-by: Vladimir Vdovin <deliran@verdict.gg>
> ---
Hi Vladimir,
do you have a good way to reproduce such situation? I have been looking
for ways to improve conncount and its testing.
Thanks,
Fernando.
> net/netfilter/Kconfig | 12 ++++++++++++
> net/netfilter/nf_conncount.c | 2 +-
> 2 files changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
> index 6cdc994fdc8a..38df2829d4d6 100644
> --- a/net/netfilter/Kconfig
> +++ b/net/netfilter/Kconfig
> @@ -111,6 +111,18 @@ if NF_CONNTRACK
> config NETFILTER_CONNCOUNT
> tristate
>
> +config NF_CONNCOUNT_SLOTS
> + int "Number of hash slots for nf_conncount"
> + depends on NF_CONNTRACK
> + default 256
> + range 1 4096
> + help
> + Number of hash slots used by the nf_conncount module.
> + Each slot has its own spinlock and rb-tree, so increasing
> + this value reduces lock contention at the cost of additional
> + memory.
> + Default is 256. Allowed range: 1 - 4096.
> +
> config NF_CONNTRACK_MARK
> bool 'Connection mark tracking support'
> depends on NETFILTER_ADVANCED
> diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
> index 00eed5b4d1b1..bdb9081a6c05 100644
> --- a/net/netfilter/nf_conncount.c
> +++ b/net/netfilter/nf_conncount.c
> @@ -32,7 +32,7 @@
> #include <net/netfilter/nf_conntrack_tuple.h>
> #include <net/netfilter/nf_conntrack_zones.h>
>
> -#define CONNCOUNT_SLOTS 256U
> +#define CONNCOUNT_SLOTS CONFIG_NF_CONNCOUNT_SLOTS
>
> #define CONNCOUNT_GC_MAX_NODES 8
> #define CONNCOUNT_GC_MAX_COLLECT 64
>
> base-commit: 028ef9c96e96197026887c0f092424679298aae8
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH nf-next] netfilter: nf_conncount: make number of hash slots configurable
2026-04-13 12:37 [PATCH nf-next] netfilter: nf_conncount: make number of hash slots configurable Vladimir Vdovin
2026-04-13 13:27 ` Fernando Fernandez Mancera
@ 2026-04-13 14:26 ` Florian Westphal
2026-04-15 13:32 ` Vladimir Vdovin
1 sibling, 1 reply; 8+ messages in thread
From: Florian Westphal @ 2026-04-13 14:26 UTC (permalink / raw)
To: Vladimir Vdovin; +Cc: netfilter-devel, pablo, coreteam, phil
Vladimir Vdovin <deliran@verdict.gg> wrote:
> Some workloads with high conntrack rate
> generate high lock contention on insert_tree(), so
> constant 256 CONNCOUNT_SLOTS can be too small.
No. Compile time options suck. No distro is going
to alter the value away from the default.
Maybe change the code to size the array dynamically
based on e.g. number of online cpus?
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH nf-next] netfilter: nf_conncount: make number of hash slots configurable
2026-04-13 13:27 ` Fernando Fernandez Mancera
@ 2026-04-15 13:29 ` Vladimir Vdovin
0 siblings, 0 replies; 8+ messages in thread
From: Vladimir Vdovin @ 2026-04-15 13:29 UTC (permalink / raw)
To: Fernando Fernandez Mancera, Vladimir Vdovin, netfilter-devel
Cc: pablo, fw, coreteam, phil
On Mon Apr 13, 2026 at 4:27 PM MSK, Fernando Fernandez Mancera wrote:
> On 4/13/26 2:37 PM, Vladimir Vdovin wrote:
>> Some workloads with high conntrack rate
>> generate high lock contention on insert_tree(), so
>> constant 256 CONNCOUNT_SLOTS can be too small.
>>
>> Signed-off-by: Vladimir Vdovin <deliran@verdict.gg>
>> ---
>
> Hi Vladimir,
>
> do you have a good way to reproduce such situation? I have been looking
> for ways to improve conncount and its testing.
>
> Thanks,
> Fernando.
>
Hi Fernando,
I am testing it in our "cloud" enviroment where we have ovs with per zone conncount,
sending syn flood between vms in different zones and different hypervisors.
Not very good way for reproducing, imho ;)
I will take some time, to try to reproduce in local enviroment betweens namespaces for example.
Best Regards,
Vladimir.
>> net/netfilter/Kconfig | 12 ++++++++++++
>> net/netfilter/nf_conncount.c | 2 +-
>> 2 files changed, 13 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
>> index 6cdc994fdc8a..38df2829d4d6 100644
>> --- a/net/netfilter/Kconfig
>> +++ b/net/netfilter/Kconfig
>> @@ -111,6 +111,18 @@ if NF_CONNTRACK
>> config NETFILTER_CONNCOUNT
>> tristate
>>
>> +config NF_CONNCOUNT_SLOTS
>> + int "Number of hash slots for nf_conncount"
>> + depends on NF_CONNTRACK
>> + default 256
>> + range 1 4096
>> + help
>> + Number of hash slots used by the nf_conncount module.
>> + Each slot has its own spinlock and rb-tree, so increasing
>> + this value reduces lock contention at the cost of additional
>> + memory.
>> + Default is 256. Allowed range: 1 - 4096.
>> +
>> config NF_CONNTRACK_MARK
>> bool 'Connection mark tracking support'
>> depends on NETFILTER_ADVANCED
>> diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
>> index 00eed5b4d1b1..bdb9081a6c05 100644
>> --- a/net/netfilter/nf_conncount.c
>> +++ b/net/netfilter/nf_conncount.c
>> @@ -32,7 +32,7 @@
>> #include <net/netfilter/nf_conntrack_tuple.h>
>> #include <net/netfilter/nf_conntrack_zones.h>
>>
>> -#define CONNCOUNT_SLOTS 256U
>> +#define CONNCOUNT_SLOTS CONFIG_NF_CONNCOUNT_SLOTS
>>
>> #define CONNCOUNT_GC_MAX_NODES 8
>> #define CONNCOUNT_GC_MAX_COLLECT 64
>>
>> base-commit: 028ef9c96e96197026887c0f092424679298aae8
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH nf-next] netfilter: nf_conncount: make number of hash slots configurable
2026-04-13 14:26 ` Florian Westphal
@ 2026-04-15 13:32 ` Vladimir Vdovin
2026-04-15 13:44 ` Florian Westphal
0 siblings, 1 reply; 8+ messages in thread
From: Vladimir Vdovin @ 2026-04-15 13:32 UTC (permalink / raw)
To: Florian Westphal, Vladimir Vdovin; +Cc: netfilter-devel, pablo, coreteam, phil
On Mon Apr 13, 2026 at 5:26 PM MSK, Florian Westphal wrote:
> Vladimir Vdovin <deliran@verdict.gg> wrote:
>> Some workloads with high conntrack rate
>> generate high lock contention on insert_tree(), so
>> constant 256 CONNCOUNT_SLOTS can be too small.
>
> No. Compile time options suck. No distro is going
> to alter the value away from the default.
>
> Maybe change the code to size the array dynamically
> based on e.g. number of online cpus?
Hi Florian,
May be we could move it to module params?
(not sure that this params have to depend on number of cpu)
May be use number of cpus as default value?
Best Regards,
Vladimir
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH nf-next] netfilter: nf_conncount: make number of hash slots configurable
2026-04-15 13:32 ` Vladimir Vdovin
@ 2026-04-15 13:44 ` Florian Westphal
2026-04-15 14:10 ` Vladimir Vdovin
2026-04-15 14:43 ` Florian Westphal
0 siblings, 2 replies; 8+ messages in thread
From: Florian Westphal @ 2026-04-15 13:44 UTC (permalink / raw)
To: Vladimir Vdovin; +Cc: netfilter-devel, pablo, coreteam, phil
Vladimir Vdovin <deliran@verdict.gg> wrote:
> > Maybe change the code to size the array dynamically
> > based on e.g. number of online cpus?
> Hi Florian,
>
> May be we could move it to module params?
> (not sure that this params have to depend on number of cpu)
> May be use number of cpus as default value?
I would prefer autotuning based on online cpus so this doesn't have to
be changed at all.
How many cores does your platfrom have? The current value was set 2014.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH nf-next] netfilter: nf_conncount: make number of hash slots configurable
2026-04-15 13:44 ` Florian Westphal
@ 2026-04-15 14:10 ` Vladimir Vdovin
2026-04-15 14:43 ` Florian Westphal
1 sibling, 0 replies; 8+ messages in thread
From: Vladimir Vdovin @ 2026-04-15 14:10 UTC (permalink / raw)
To: Florian Westphal, Vladimir Vdovin; +Cc: netfilter-devel, pablo, coreteam, phil
On Wed Apr 15, 2026 at 4:44 PM MSK, Florian Westphal wrote:
> Vladimir Vdovin <deliran@verdict.gg> wrote:
>> > Maybe change the code to size the array dynamically
>> > based on e.g. number of online cpus?
>> Hi Florian,
>>
>> May be we could move it to module params?
>> (not sure that this params have to depend on number of cpu)
>> May be use number of cpus as default value?
>
> I would prefer autotuning based on online cpus so this doesn't have to
> be changed at all.
>
> How many cores does your platfrom have? The current value was set 2014.
Tested on 160 cores with SMT and 2 nodes.(40*2 + 40*2)
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH nf-next] netfilter: nf_conncount: make number of hash slots configurable
2026-04-15 13:44 ` Florian Westphal
2026-04-15 14:10 ` Vladimir Vdovin
@ 2026-04-15 14:43 ` Florian Westphal
1 sibling, 0 replies; 8+ messages in thread
From: Florian Westphal @ 2026-04-15 14:43 UTC (permalink / raw)
To: Vladimir Vdovin; +Cc: netfilter-devel, pablo, coreteam, phil
Florian Westphal <fw@strlen.de> wrote:
> Vladimir Vdovin <deliran@verdict.gg> wrote:
> > > Maybe change the code to size the array dynamically
> > > based on e.g. number of online cpus?
> > Hi Florian,
> >
> > May be we could move it to module params?
> > (not sure that this params have to depend on number of cpu)
> > May be use number of cpus as default value?
>
> I would prefer autotuning based on online cpus so this doesn't have to
> be changed at all.
And we should also do something like this.
As-is, different netns will block same slot if the key is the same.
As OVS uses conntrack zones and those can easily overlap, they hash
to same slot internally even if they use different data structures
and could run in parallel.
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index 00eed5b4d1b1..ab28b47395bd 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -58,6 +58,7 @@ static spinlock_t nf_conncount_locks[CONNCOUNT_SLOTS] __cacheline_aligned_in_smp
struct nf_conncount_data {
unsigned int keylen;
+ u32 initval;
struct rb_root root[CONNCOUNT_SLOTS];
struct net *net;
struct work_struct gc_work;
@@ -65,7 +66,6 @@ struct nf_conncount_data {
unsigned int gc_tree;
};
-static u_int32_t conncount_rnd __read_mostly;
static struct kmem_cache *conncount_rb_cachep __read_mostly;
static struct kmem_cache *conncount_conn_cachep __read_mostly;
@@ -496,7 +496,7 @@ count_tree(struct net *net,
struct nf_conncount_rb *rbconn;
unsigned int hash;
- hash = jhash2(key, data->keylen, conncount_rnd) % CONNCOUNT_SLOTS;
+ hash = jhash2(key, data->keylen, data->initval) % CONNCOUNT_SLOTS;
root = &data->root[hash];
parent = rcu_dereference_raw(root->rb_node);
@@ -630,8 +630,6 @@ struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int keylen
keylen == 0)
return ERR_PTR(-EINVAL);
- net_get_random_once(&conncount_rnd, sizeof(conncount_rnd));
-
data = kmalloc_obj(*data);
if (!data)
return ERR_PTR(-ENOMEM);
@@ -641,6 +639,7 @@ struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int keylen
data->keylen = keylen / sizeof(u32);
data->net = net;
+ data->initval = get_random_u32();
INIT_WORK(&data->gc_work, tree_gc_worker);
return data;
^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2026-04-15 14:43 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-13 12:37 [PATCH nf-next] netfilter: nf_conncount: make number of hash slots configurable Vladimir Vdovin
2026-04-13 13:27 ` Fernando Fernandez Mancera
2026-04-15 13:29 ` Vladimir Vdovin
2026-04-13 14:26 ` Florian Westphal
2026-04-15 13:32 ` Vladimir Vdovin
2026-04-15 13:44 ` Florian Westphal
2026-04-15 14:10 ` Vladimir Vdovin
2026-04-15 14:43 ` Florian Westphal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.