[PATCH] aggressive early_drop and reserved conntrack entries

Grzegorz Piotr Jaskiewicz gj at kde.org.uk
Thu Dec 9 13:25:37 CET 2004

Jozsef Kadlecsik wrote:
> Hi,
> The included patch addresses the following issues:
> - When the conntrack table is full, we search only in a single hash
>   bucket. We are in trouble anyway, so let's search harder for
>   droppable entries: the patch extends the search to at most the third of
>   all the buckets.
> - If the conntrack table is full, the remote management of the machine
>   becomes a little bit complicated :-). The patch adds the ability to
>   reserve a given number of entries to be used for management connections.
>   The following proc entries are added to /proc/sys/net/ipv4/netfilter:

That is a good idea, but asside that I think that we need some kind of 
'grabage collector' that is going to remove the oldests connections from 
the hash to make space for those new. This sounds a bit more 
complicated, I know, maybe someone has a better idea about it.
But to be honest letting someone to manage computer remotely is the one 
thing, and letting system to solve the problem on its own is another.
Now that you can get in, tell me what you can do ?
You can resize hash table size for instance, but so can netfilter on its 
own in case hash is filled to the brim.
So there are 2 ideas, either let it resize hash table by some value, but 
that would have it maximum too. You can also forget oldest connections, 
and spare memory for new ones.


More information about the netfilter-devel mailing list