On Wed, Feb 16, 2022 at 04:43:05PM +0100, Florian Westphal wrote:
> as of commit 4608fdfc07e1
> ("netfilter: conntrack: collect all entries in one cycle")
> conntrack gc was changed to run every 2 minutes.
>
> On systems where conntrack hash table is set to large value, most evictions
> happen from gc worker rather than the packet path due to hash table
> distribution.
>
> This causes netlink event overflows when events are collected.
>
> This change collects average expiry of scanned entries and
> reschedules to the average remaining value, within 1 to 60 second interval.
>
> To avoid event overflows, reschedule after each bucket and add a
> limit for both run time and number of evictions per run.
>
> If more entries have to be evicted, reschedule and restart 1 jiffy
> into the future.
Applied, thanks.
