ip_conntrack_core and floods with different ports (again :)

[Rusty Russell]

In message <Pine.LNX.4.21.0006021654500.8960-100000@tux.rsn.hk-r.se> you write:
> with 8192, 16384 it works fine, with 32768 the connections to the outside
> world becomes a little sluggish but not much, with 65535 The connections
> became real sluggish.

This is almost certainly hash collisions in the connection tracking
code.  At 128MB RAM, you have about 1023 hash buckets.  At 65000
connections, the average search time for a new connection becomes 64
iterations.  I've been tempted to make the hash size a module
parameter (at the moment it's based on only using 1/16000th of
memory).

Try changing `ip_conntrack_htable_size = ' in
net/ipv4/netfilter/ip_conntrack_core.c and see what values you like
(try 8192, for example).

Rusty.
--
Hacking time.