On Sat, Jan 17, 2015 at 09:51:46AM +0000, Patrick McHardy wrote: > > I agree, however at least in the case of nftables you can easily do the same thing by adding millions of rules. I think that's a problem in itself. If a single packet can kill the CPU through millions of rules, then namespaces would be a joke. There has to be a limit to the number of rules or the processing has to be deferred into thread context (thus subject to scheduler control) at some point. > It doesn't make things worse. So I don't think that's a valid justification for ignoring this hash table problem. Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html