netfilter: conntrack: adopt safer max chain length
Customers using GKE 1.25 and 1.26 are facing conntrack issues root caused to commitc9c3b6811f
("netfilter: conntrack: make max chain length random"). Even if we assume Uniform Hashing, a bucket often reachs 8 chained items while the load factor of the hash table is smaller than 0.5 With a limit of 16, we reach load factors of 3. With a limit of 32, we reach load factors of 11. With a limit of 40, we reach load factors of 15. With a limit of 50, we reach load factors of 24. This patch changes MIN_CHAINLEN to 50, to minimize risks. Ideally, we could in the future add a cushion based on expected load factor (2 * nf_conntrack_max / nf_conntrack_buckets), because some setups might expect unusual values. Fixes:c9c3b6811f
("netfilter: conntrack: make max chain length random") Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
4a02426787
commit
c77737b736
@ -96,8 +96,8 @@ static DEFINE_MUTEX(nf_conntrack_mutex);
|
||||
#define GC_SCAN_MAX_DURATION msecs_to_jiffies(10)
|
||||
#define GC_SCAN_EXPIRED_MAX (64000u / HZ)
|
||||
|
||||
#define MIN_CHAINLEN 8u
|
||||
#define MAX_CHAINLEN (32u - MIN_CHAINLEN)
|
||||
#define MIN_CHAINLEN 50u
|
||||
#define MAX_CHAINLEN (80u - MIN_CHAINLEN)
|
||||
|
||||
static struct conntrack_gc_work conntrack_gc_work;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user