From: Eric Dumazet <dada1@cosmosbay.com>
To: David Miller <davem@davemloft.net>
Cc: nhorman@tuxdriver.com, netdev@vger.kernel.org,
kuznet@ms2.inr.ac.ru, pekkas@netcore.fi, jmorris@namei.org,
yoshfuji@linux-ipv6.org, kaber@trash.net,
Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Subject: Re: [PATCH] net: implement emergency route cache rebulds when gc_elasticity is exceeded
Date: Tue, 30 Sep 2008 19:16:50 +0200 [thread overview]
Message-ID: <48E25F02.8030303@cosmosbay.com> (raw)
In-Reply-To: <20080930.071023.07946874.davem@davemloft.net>
David Miller a écrit :
> From: Eric Dumazet <dada1@cosmosbay.com>
> Date: Tue, 30 Sep 2008 08:02:44 +0200
>
>> When a machine is targeted by a DDOS attack, about all slots of the
>> hash table are fully loaded (ie chain length >= elasticity). We dont
>> need to invalidate the cache, but find an equilibrium, with small
>> adjustements.
>
> Sure, but it is possible to determine that some hash chains
> are unevenly growing out of control compared to others,
> and that is the algorithm that Neil is trying to discover.
>
>
No problem, but my suggestion to use a separate threshold than elasticity
was apparently not taken into consideration.
I ran an experiment on a big stable machine with 2^19 rtcache slots,
scanning all chains and found *many* of them having length > elasticity,
maximum being 13. I am sure its allowed by statistics laws.
(average chain length : 3.55)
In order to avoid unecessary cache invalidation, we need some
calculation from a statistics expert.
Given rt_hash_size and elasticity (or rt_max_size), compute the "maximum reasonable"
chain length, ie some X number where probability(chain_length < X) > 0.9999
(CCed Evgeniy Polyakov :) )
MemTotal: 32963064 kB
8 CPUS
/proc/sys/net/ipv4/route/max_size:8388608 (default at boot time)
/proc/sys/net/ipv4/route/gc_thresh:2000000
/proc/sys/net/ipv4/route/gc_elasticity:4
/proc/sys/net/ipv4/route/gc_interval:1
Linux version 2.6.24.5
cat /proc/net/sockstat
sockets: used 957514
TCP: inuse 963998 orphan 7100 tw 10393 alloc 964646 mem 376389
rtstat -c5 -i5 (minus first sample)
rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|rt_cache|
entries| in_hit|in_slow_|in_slow_|in_no_ro| in_brd|in_marti|in_marti| out_hit|out_slow|out_slow|gc_total|gc_ignor|gc_goal_|gc_dst_o|in_hlist|out_hlis|
| | tot| mc| ute| | an_dst| an_src| | _tot| _mc| | ed| miss| verflow| _search|t_search|
1862477| 23758| 4400| 0| 0| 0| 0| 0| 4142| 1134| 0| 0| 0| 0| 0| 45754| 11785|
1863310| 24794| 4504| 0| 0| 0| 0| 0| 4089| 1183| 0| 0| 0| 0| 0| 47558| 11640|
1863604| 24183| 4383| 0| 0| 0| 0| 0| 3910| 1061| 0| 0| 0| 0| 0| 46002| 10819|
1864473| 23899| 4510| 0| 0| 0| 0| 0| 4113| 1193| 0| 0| 0| 0| 0| 46451| 11798|
grep ip_dst_cache /proc/slabinfo
ip_dst_cache 1863543 1868660 384 10 1 : tunables 0 0 0 : slabdata 186866 186866 0
On this machine, a single "ip route flush cache" is risky
(commit 29e75252da20f3ab9e132c68c9aed156b87beae6 [IPV4] route cache: Introduce rt_genid for smooth cache invalidation)
not yet included in kernel)
next prev parent reply other threads:[~2008-09-30 17:17 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-29 19:12 [PATCH] net: implement emergency route cache rebulds when gc_elasticity is exceeded Neil Horman
2008-09-29 20:22 ` Eric Dumazet
2008-09-29 20:27 ` Neil Horman
2008-09-29 21:00 ` Eric Dumazet
2008-09-29 22:38 ` Neil Horman
2008-09-30 6:02 ` Eric Dumazet
2008-09-30 11:23 ` Neil Horman
2008-09-30 14:10 ` David Miller
2008-09-30 17:16 ` Eric Dumazet [this message]
2008-09-30 18:42 ` Neil Horman
2008-10-02 7:16 ` Evgeniy Polyakov
2008-10-02 13:14 ` Neil Horman
2008-10-01 18:08 ` Neil Horman
2008-10-02 5:01 ` Bill Fink
2008-10-02 6:56 ` Eric Dumazet
2008-10-02 8:15 ` Eric Dumazet
2008-10-02 14:20 ` Eric Dumazet
2008-10-03 0:31 ` Neil Horman
2008-10-03 20:36 ` Neil Horman
2008-10-06 10:49 ` Eric Dumazet
2008-10-06 13:14 ` Neil Horman
2008-10-06 20:54 ` Neil Horman
2008-10-06 21:21 ` Eric Dumazet
2008-10-06 22:52 ` Neil Horman
2008-10-07 5:13 ` Eric Dumazet
2008-10-07 10:54 ` Neil Horman
2008-10-13 18:26 ` Neil Horman
2008-10-16 6:55 ` David Miller
2008-10-16 9:19 ` Eric Dumazet
2008-10-16 21:18 ` David Miller
2008-10-16 11:41 ` Neil Horman
2008-10-16 12:25 ` Eric Dumazet
2008-10-16 16:36 ` Neil Horman
2008-10-16 23:35 ` Neil Horman
2008-10-17 4:53 ` Eric Dumazet
2008-10-17 5:23 ` David Miller
2008-10-17 5:03 ` Stephen Hemminger
2008-10-17 5:06 ` Stephen Hemminger
2008-10-17 10:39 ` Neil Horman
[not found] ` <48F8806A.6090306@cosmosbay.com>
[not found] ` <20081017152328.GB23591@hmsreliant.think-freely.org>
[not found] ` <48F8AFBE.5080503@cosmosbay.com>
2008-10-17 20:44 ` Neil Horman
2008-10-18 0:54 ` Neil Horman
2008-10-18 4:36 ` Eric Dumazet
2008-10-18 13:30 ` Neil Horman
2008-10-20 0:07 ` Neil Horman
2008-10-20 8:12 ` Eric Dumazet
2008-10-27 19:28 ` David Miller
2008-10-02 7:13 ` Evgeniy Polyakov
2008-09-30 14:08 ` David Miller
2008-09-30 14:08 ` David Miller
2008-09-30 17:47 ` Eric Dumazet
2008-10-05 3:26 ` Herbert Xu
2008-10-05 4:45 ` Andrew Dickinson
2008-10-05 17:34 ` David Miller
2008-10-05 18:06 ` Andrew Dickinson
2008-10-06 4:21 ` Herbert Xu
2008-10-06 10:50 ` Neil Horman
2008-10-06 11:02 ` Herbert Xu
2008-10-06 12:43 ` Neil Horman
2008-09-30 14:17 ` Denis V. Lunev
2008-09-30 14:35 ` Neil Horman
2008-09-30 14:49 ` Denis V. Lunev
2008-10-05 3:17 ` Herbert Xu
2008-10-05 3:20 ` Herbert Xu
2008-10-06 0:52 ` Neil Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48E25F02.8030303@cosmosbay.com \
--to=dada1@cosmosbay.com \
--cc=davem@davemloft.net \
--cc=jmorris@namei.org \
--cc=johnpol@2ka.mipt.ru \
--cc=kaber@trash.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=pekkas@netcore.fi \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).