Le 10/10/2016 à 16:04, Florian Westphal a écrit : > Nicolas Dichtel <nicolas.dich...@6wind.com> wrote: >> After commit b87a2f9199ea ("netfilter: conntrack: add gc worker to remove >> timed-out entries"), netlink conntrack deletion events may be sent with a >> huge delay. It could be interesting to let the user tweak gc parameters >> depending on its use case. > > Hmm, care to elaborate? > > I am not against doing this but I'd like to hear/read your use case. > > The expectation is that in almot all cases eviction will happen from > packet path. The gc worker is jusdt there for case where a busy system > goes idle. It was precisely that case. After a period of activity, the event is sent a long time after the timeout. If the router does not manage a lot of flows, why not trying to parse more entries instead of the default 1/64 of the table? In fact, I don't understand why using GC_MAX_BUCKETS_DIV instead of using always GC_MAX_BUCKETS whatever the size of the table is.
> >> +nf_conntrack_gc_max_evicts - INTEGER >> + The maximum number of entries to be evicted during a run of gc. >> + This sysctl is only writeable in the initial net namespace. > > Hmmm, do you have any advice on sizing this one? In fact, no ;-) I really hesitate to expose the four values or just a subset. My goal was also to get feedback. I can remove this one. > > I think a better change might be (instead of adding htis knob) to > resched the gc worker for immediate re-executaion in case the entire > "budget" was used. What do you think? Even if it's not directly related to my problem, I think it's a good idea. > > > diff --git a/net/netfilter/nf_conntrack_core.c > b/net/netfilter/nf_conntrack_core.c > --- a/net/netfilter/nf_conntrack_core.c > +++ b/net/netfilter/nf_conntrack_core.c > @@ -983,7 +983,7 @@ static void gc_worker(struct work_struct *work) > return; > > ratio = scanned ? expired_count * 100 / scanned : 0; > - if (ratio >= 90) > + if (ratio >= 90 || expired_count == GC_MAX_EVICTS) > next_run = 0; >