Patch "netfilter: conntrack: adopt safer max chain length" has been added to the 6.2-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 13 Mar 2023 08:10:13 -0400

This is a note to let you know that I've just added the patch titled

    netfilter: conntrack: adopt safer max chain length

to the 6.2-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-conntrack-adopt-safer-max-chain-length.patch
and it can be found in the queue-6.2 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 786e9ae0a309262ce17a5c4da808e27dc58892e7
Author: Eric Dumazet <edumazet@xxxxxxxxxx>
Date:   Tue Mar 7 05:22:54 2023 +0000

    netfilter: conntrack: adopt safer max chain length
    
    [ Upstream commit c77737b736ceb50fdf150434347dbd81ec76dbb1 ]
    
    Customers using GKE 1.25 and 1.26 are facing conntrack issues
    root caused to commit c9c3b6811f74 ("netfilter: conntrack: make
    max chain length random").
    
    Even if we assume Uniform Hashing, a bucket often reachs 8 chained
    items while the load factor of the hash table is smaller than 0.5
    
    With a limit of 16, we reach load factors of 3.
    With a limit of 32, we reach load factors of 11.
    With a limit of 40, we reach load factors of 15.
    With a limit of 50, we reach load factors of 24.
    
    This patch changes MIN_CHAINLEN to 50, to minimize risks.
    
    Ideally, we could in the future add a cushion based on expected
    load factor (2 * nf_conntrack_max / nf_conntrack_buckets),
    because some setups might expect unusual values.
    
    Fixes: c9c3b6811f74 ("netfilter: conntrack: make max chain length random")
    Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index ead11a9c261f3..19e3afb23fdaf 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -96,8 +96,8 @@ static DEFINE_MUTEX(nf_conntrack_mutex);
 #define GC_SCAN_MAX_DURATION	msecs_to_jiffies(10)
 #define GC_SCAN_EXPIRED_MAX	(64000u / HZ)
 
-#define MIN_CHAINLEN	8u
-#define MAX_CHAINLEN	(32u - MIN_CHAINLEN)
+#define MIN_CHAINLEN	50u
+#define MAX_CHAINLEN	(80u - MIN_CHAINLEN)
 
 static struct conntrack_gc_work conntrack_gc_work;
 






