Re: [PATCH nf-next] netfilter: nf_conntrack: restrict conntrack_buckets value

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Taehee Yoo <ap420073@gmail.com>
To: Florian Westphal <fw@strlen.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
	Netfilter Developer Mailing List 
	<netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH nf-next] netfilter: nf_conntrack: restrict conntrack_buckets value
Date: Tue, 9 Apr 2019 08:15:28 +0900	[thread overview]
Message-ID: <CAMArcTW1-2BpquD_hxkbryApTFGYsBLHB2XT72jBsC9p8Lzk0g@mail.gmail.com> (raw)
In-Reply-To: <20190408211112.gdbsl7cizymcx6fp@breakpoint.cc>

On Tue, 9 Apr 2019 at 06:11, Florian Westphal <fw@strlen.de> wrote:
>

Hi Florian,

> Taehee Yoo <ap420073@gmail.com> wrote:
> > In order to avoid wastefull memory allocation, conntrack bucket size
> > should be lower than conntrack_max size.
> > When a conntrack_max is changed, a conntrack_buckets will be changed to be
> > under a conntrack_max value.
> > But, a conntrack_buckets can be over than a conntrack_max only when
> > a conntrack_max is lower than minimum of a conntrack_buckets.
> >
> > TEST
> >    sysctl net.netfilter.nf_conntrack_max=100000 -w
> >    sysctl net.netfilter.nf_conntrack_buckets=200000 -w
> > second command will be failed because of this patch.
>
> Are you sure this is correct?
>
> IIRC nf_conntrack_buckets is a global value, whereas nf_conntrack_max
> is per netns.
>
> So, with 100 netns nf_conntrack_buckets should be set to a much larger
> value.
>
> Also, we hash and insert each conntrack entry twice, once for original
> and once for the reverse direction.
>
> So, setting buckets to twice the max count is fine even for the 'init
> netns only' case.
>

Thank you for review!
I checked about conntrack_max and conntrack_buckets.
Your review is right.
conntrack_max is global variable but session count is pernet.
So, in netns condition, large bucket would be needed.

So, this patch is not correct.

Thank you!

     prev parent reply	other threads:[~2019-04-08 23:15 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-08 10:42 [PATCH nf-next] netfilter: nf_conntrack: restrict conntrack_buckets value Taehee Yoo
2019-04-08 21:11 ` Florian Westphal
2019-04-08 23:15   ` Taehee Yoo [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAMArcTW1-2BpquD_hxkbryApTFGYsBLHB2XT72jBsC9p8Lzk0g@mail.gmail.com \
    --to=ap420073@gmail.com \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).