From: Florian Westphal <fw@strlen.de>
To: Scott Mitchell <scott.k.mitch1@gmail.com>
Cc: netfilter-devel@vger.kernel.org, pablo@netfilter.org
Subject: Re: [PATCH v6 2/2] netfilter: nfnetlink_queue: optimize verdict lookup with hash table
Date: Sat, 24 Jan 2026 17:48:27 +0100 [thread overview]
Message-ID: <aXT32zphu2Uph_Uf@strlen.de> (raw)
In-Reply-To: <CAFn2buDj1+X_zKqy-ex5x-fz05g_0a3V_u0gJr7Z_n5pGK4rqQ@mail.gmail.com>
Scott Mitchell <scott.k.mitch1@gmail.com> wrote:
> For NFQA_CFG_QUEUE_MAXLEN API translation there are a few challenges:
> 1. Max packet size - If GRO is enabled, the MTU may not be a reliable
> upper bound. Using 2mb would be a conservative approach but also
> overcommit memory in many cases. Since there is no per-byte limit
> today it is likely safest to go with the conservative approach for
> backwards compatibility.
> 2. Per queue limit vs pernet limit - The number of queues and
> NFQA_CFG_QUEUE_MAXLEN are dynamic. How would you derive a pernet
> limit? One approach is "number of queues * queue with the max
> NFQA_CFG_QUEUE_MAXLEN" (which requires some additional state
> tracking).
I don't think a per queue limit was ever a good idea.
Back then network namespaces did not exist and nfqueue needs root
privileges, so misconfiguration was always self-sabotage.
But thats not true anymore. I think we can keep a per queue limit,
if just to allow userspace to limit some queues more than others.
But to keep memory usage at sane levels we'll need some pernet
limit (pcpu counters?), counting based on skb->truesize.
We could adopt a low limit, say, 32 Mbyte, by default and add
nfnetlink options to increase this. (The default 1024 packet
queue length would use ~2mbyte, assuming 2k pages and no
packet aggregation of any kind).
Maybe we can precharge this to the requesting sockets memcg as well
to also prevent netns from configureing a 1 TB pernet limit.
> For the pernet byte limit API, were you thinking sysctl similar to
> nf_conntrack_max (e.g., /proc/sys/net/netfilter/nfqueue_max_bytes)?
Thats another option, My first hunch was to extend nfqnl_attr_config
enum, as that api already has to be used to configure the queues from
userland.
prev parent reply other threads:[~2026-01-24 16:48 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-17 17:32 [PATCH v6 0/2] netfilter: nfnetlink_queue: optimize verdict lookup with hash table scott.k.mitch1
2026-01-17 17:32 ` [PATCH v6 1/2] netfilter: nfnetlink_queue: nfqnl_instance GFP_ATOMIC -> GFP_KERNEL_ACCOUNT allocation scott.k.mitch1
2026-01-17 22:45 ` Florian Westphal
2026-01-17 23:25 ` Scott Mitchell
2026-01-19 0:39 ` Florian Westphal
2026-01-23 14:02 ` Scott Mitchell
2026-01-17 17:32 ` [PATCH v6 2/2] netfilter: nfnetlink_queue: optimize verdict lookup with hash table scott.k.mitch1
2026-01-17 23:00 ` Florian Westphal
2026-01-21 15:25 ` Scott Mitchell
2026-01-21 15:49 ` Florian Westphal
2026-01-23 1:58 ` Scott Mitchell
2026-01-23 6:54 ` Florian Westphal
2026-01-23 13:38 ` Scott Mitchell
2026-01-24 16:48 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aXT32zphu2Uph_Uf@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=scott.k.mitch1@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox