[Devel] Re: [NETFILTER] early_drop() imrovement (v4)

Patrick McHardy kaber at trash.net
Wed Jun 27 05:04:15 PDT 2007


Patrick McHardy wrote:
> Vasily Averin wrote:
> 
>>When the number of conntracks is reached nf_conntrack_max limit, early_drop()
>>tries to free one of already used conntracks. If it does not find any conntracks
>>that may be freed, it leads to transmission errors.
>>In current implementation the conntracks are searched in one hash bucket only.
>>It have some drawbacks: if used hash bucket is empty we have not any chances to
>>find something. On the other hand the hash bucket can contain a huge number of
>>conntracks and its check can last a long time.
>>The proposed patch limits the number of checked conntracks and allows to search
>>conntracks in other hash buckets. As result in any case the search will have the
>>same chances to free one of the conntracks and the check will not lead to long
>>delays.
> 
> 
> 
> Thanks Vasily. I have some patches queued to convert all conntrack
> hashes to hlists, which conflict with your patches. They need a bit
> more work, I'll integrate your changes on top of them once I'm done.


I've added this patch to my tree at

http://people.netfilter.org/kaber/nf-2.6.23.git/

I've joined the two loops from your patch since that avoids an
otherwise useless function and doesn't take the lock up to 8
times in a row.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 32.diff
Type: text/x-diff
Size: 2793 bytes
Desc: not available
URL: <http://lists.openvz.org/pipermail/devel/attachments/20070627/e7df34b3/attachment-0001.bin>


More information about the Devel mailing list