On Tue, 9 Apr 2019 at 06:11, Florian Westphal <fw@xxxxxxxxx> wrote: > Hi Florian, > Taehee Yoo <ap420073@xxxxxxxxx> wrote: > > In order to avoid wastefull memory allocation, conntrack bucket size > > should be lower than conntrack_max size. > > When a conntrack_max is changed, a conntrack_buckets will be changed to be > > under a conntrack_max value. > > But, a conntrack_buckets can be over than a conntrack_max only when > > a conntrack_max is lower than minimum of a conntrack_buckets. > > > > TEST > > sysctl net.netfilter.nf_conntrack_max=100000 -w > > sysctl net.netfilter.nf_conntrack_buckets=200000 -w > > second command will be failed because of this patch. > > Are you sure this is correct? > > IIRC nf_conntrack_buckets is a global value, whereas nf_conntrack_max > is per netns. > > So, with 100 netns nf_conntrack_buckets should be set to a much larger > value. > > Also, we hash and insert each conntrack entry twice, once for original > and once for the reverse direction. > > So, setting buckets to twice the max count is fine even for the 'init > netns only' case. > Thank you for review! I checked about conntrack_max and conntrack_buckets. Your review is right. conntrack_max is global variable but session count is pernet. So, in netns condition, large bucket would be needed. So, this patch is not correct. Thank you!
