From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Subject: netfilter: get rid of per-object conntrack timers
Date: Thu, 25 Aug 2016 15:33:28 +0200 [thread overview]
Message-ID: <1472132015-10264-1-git-send-email-fw@strlen.de> (raw)
During NFWS 2016 it was mentioned that per-conntrack timers have
two drawbacks:
- the 5-day default established timeout is very large and brings
extra constraints for the timer subsystem.
- most distros enable timer stats so timer struct eats 80 bytes
in each conntrack object.
This series replaces the per-object struct timer with a u32 jiffie
stamp and one global delayed work queue for conntrack eviction.
Size of nf_conn struct is reduced to 256 bytes on x86_64.
Eviction is performed from the packet path when doing
table lookup, for cases where we have idle periods the work
queue is used.
Tested with following script, conntrackd running in 'relible
event mode'. and httpterm running on other host:
-----------------------------------------------------------
random_resize() {
while true; do
RND=$RANDOM%256000
RND=$((RND+8192))
sysctl net.netfilter.nf_conntrack_buckets=$RND
sleep $((RANDOM % 120))
done
}
random_flush() {
while true; do
sleep $((RANDOM % 120))
conntrack -F
done
}
random_startstop() {
while true; do
sleep $((RANDOM % 120))
pkill -STOP conntrackd
sleep $((RANDOM % 10))
pkill -CONT conntrackd
done
}
http-client -u 1000 -t 3 -F 192.168.10.50 -G 192.168.10.17:8001 &
http-client -u 1000 -t 3 -F 192.168.10.51 -G 192.168.10.17:8001 &
http-client -u 1000 -t 3 -F 192.168.10.52 -G 192.168.10.17:8001 &
random_resize &
random_flush &
random_startstop &
wait
-----------------------------------------------------------
include/net/netfilter/nf_conntrack.h | 36 +++--
include/net/netfilter/nf_conntrack_ecache.h | 17 +-
net/netfilter/nf_conntrack_core.c | 192 +++++++++++++++++++++-------
net/netfilter/nf_conntrack_ecache.c | 22 ++-
net/netfilter/nf_conntrack_netlink.c | 39 ++++-
net/netfilter/nf_conntrack_pptp.c | 3
net/netfilter/nf_nat_core.c | 6
7 files changed, 221 insertions(+), 94 deletions(-)
next reply other threads:[~2016-08-25 13:33 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-25 13:33 Florian Westphal [this message]
2016-08-25 13:33 ` [PATCH v3 nf-next 1/7] netfilter: restart search if moved to other chain Florian Westphal
2016-08-25 13:33 ` [PATCH v3 nf-next 2/7] netfilter: don't rely on DYING bit to detect when destroy event was sent Florian Westphal
2016-08-25 13:33 ` [PATCH v3 nf-next 3/7] netfilter: conntrack: get rid of conntrack timer Florian Westphal
2016-08-25 13:33 ` [PATCH v3 nf-next 4/7] netfilter: evict stale entries on netlink dumps Florian Westphal
2016-08-25 13:33 ` [PATCH v3 nf-next 5/7] netfilter: conntrack: add gc worker to remove timed-out entries Florian Westphal
2016-08-25 16:06 ` Eric Dumazet
2016-08-25 13:33 ` [PATCH v3 nf-next 6/7] netfilter: conntrack: resched gc again if eviction rate is high Florian Westphal
2016-08-25 16:07 ` Eric Dumazet
2016-08-25 13:33 ` [PATCH v3 nf-next 7/7] netfilter: remove __nf_ct_kill_acct helper Florian Westphal
2016-08-30 9:43 ` netfilter: get rid of per-object conntrack timers Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1472132015-10264-1-git-send-email-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).