[PATCH] aggressive early_drop and reserved conntrack entries

Jozsef Kadlecsik kadlec at blackhole.kfki.hu
Thu Dec 9 14:21:58 CET 2004


On Thu, 9 Dec 2004, Grzegorz Piotr Jaskiewicz wrote:

> That is a good idea, but asside that I think that we need some kind of
> 'grabage collector' that is going to remove the oldests connections from
> the hash to make space for those new.

We have already got such garbage collection, which is simple, clean and
natural: timeout.

> This sounds a bit more
> complicated, I know, maybe someone has a better idea about it.
> But to be honest letting someone to manage computer remotely is the one
> thing, and letting system to solve the problem on its own is another.
> Now that you can get in, tell me what you can do ?
> You can resize hash table size for instance, but so can netfilter on its
> own in case hash is filled to the brim.

I don't really believe in resizing in the case of conntrack. The admin
knows how much memory is available in the machine and should better load
in the conntrack module with the most appropriate hash size value.
Resizing *is* expensive and even more so when the machine is just under an
attack.

Best regards,
Jozsef
-
E-mail  : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary



More information about the netfilter-devel mailing list