From: Greg KH <greg@kroah.com>
To: Florian Westphal <fw@strlen.de>
Cc: stable@vger.kernel.org, g.nault@alphalink.fr, pablo@netfilter.org
Subject: Re: [PATCH 4.9.y] netfilter: nat: Revert "netfilter: nat: convert nat bysrc hash to rhashtable"
Date: Mon, 13 Nov 2017 09:36:49 +0100 [thread overview]
Message-ID: <20171113083649.GC22719@kroah.com> (raw)
In-Reply-To: <20171112202347.14762-1-fw@strlen.de>
On Sun, Nov 12, 2017 at 09:23:47PM +0100, Florian Westphal wrote:
> commit e1bf1687740ce1a3598a1c5e452b852ff2190682 upstream.
>
> This reverts commit 870190a9ec9075205c0fa795a09fa931694a3ff1.
>
> It was not a good idea. The custom hash table was a much better
> fit for this purpose.
>
> A fast lookup is not essential, in fact for most cases there is no lookup
> at all because original tuple is not taken and can be used as-is.
> What needs to be fast is insertion and deletion.
>
> rhlist removal however requires a rhlist walk.
> We can have thousands of entries in such a list if source port/addresses
> are reused for multiple flows, if this happens removal requests are so
> expensive that deletions of a few thousand flows can take several
> seconds(!).
>
> The advantages that we got from rhashtable are:
> 1) table auto-sizing
> 2) multiple locks
>
> 1) would be nice to have, but it is not essential as we have at
> most one lookup per new flow, so even a million flows in the bysource
> table are not a problem compared to current deletion cost.
> 2) is easy to add to custom hash table.
>
> I tried to add hlist_node to rhlist to speed up rhltable_remove but this
> isn't doable without changing semantics. rhltable_remove_fast will
> check that the to-be-deleted object is part of the table and that
> requires a list walk that we want to avoid.
>
> Furthermore, using hlist_node increases size of struct rhlist_head, which
> in turn increases nf_conn size.
>
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=196821
> Reported-by: Ivan Babrou <ibobrik@gmail.com>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> Hi Greg,
>
> this is a 4.9.y backport of the same revert that already went into 4.13.y;
> please consider applying this. I briefly tested this in kvm, at very least
> it doesn't break nat redirect in obvious ways...
Very nice, thanks for this, now queued up.
greg k-h
next prev parent reply other threads:[~2017-11-13 8:36 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-12 20:23 [PATCH 4.9.y] netfilter: nat: Revert "netfilter: nat: convert nat bysrc hash to rhashtable" Florian Westphal
2017-11-13 8:36 ` Greg KH [this message]
2017-11-14 7:07 ` Sebastian Gottschall
2017-11-14 11:05 ` Florian Westphal
2017-11-14 11:54 ` Guillaume Nault
2017-11-14 19:30 ` Guillaume Nault
2017-11-14 22:16 ` Sebastian Gottschall
2017-11-14 22:44 ` Sebastian Gottschall
2017-11-15 10:13 ` Florian Westphal
2017-11-15 14:04 ` Greg Kroah-Hartman
2017-11-15 14:16 ` Pablo Neira Ayuso
2017-11-15 14:51 ` Greg Kroah-Hartman
2017-11-15 22:57 ` Sebastian Gottschall
2017-11-15 14:11 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171113083649.GC22719@kroah.com \
--to=greg@kroah.com \
--cc=fw@strlen.de \
--cc=g.nault@alphalink.fr \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).