lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20220331152149.GA5024@breakpoint.cc>
Date:   Thu, 31 Mar 2022 17:21:49 +0200
From:   Florian Westphal <fw@...len.de>
To:     Vincent Pelletier <plr.vincent@...il.com>
Cc:     Pablo Neira Ayuso <pablo@...filter.org>,
        netfilter-devel@...r.kernel.org, davem@...emloft.net,
        netdev@...r.kernel.org, kuba@...nel.org,
        Florian Westphal <fw@...len.de>
Subject: Re: [PATCH net 2/5] netfilter: conntrack: sanitize table size
 default settings

Vincent Pelletier <plr.vincent@...il.com> wrote:
> On Fri,  3 Sep 2021 18:30:17 +0200, Pablo Neira Ayuso <pablo@...filter.org> wrote:
> > From: Florian Westphal <fw@...len.de>
> > 
> > conntrack has two distinct table size settings:
> > nf_conntrack_max and nf_conntrack_buckets.
> > 
> > The former limits how many conntrack objects are allowed to exist
> > in each namespace.
> > 
> > The second sets the size of the hashtable.
> > 
> > As all entries are inserted twice (once for original direction, once for
> > reply), there should be at least twice as many buckets in the table than
> > the maximum number of conntrack objects that can exist at the same time.
> > 
> > Change the default multiplier to 1 and increase the chosen bucket sizes.
> > This results in the same nf_conntrack_max settings as before but reduces
> > the average bucket list length.
> [...]
> >  		nf_conntrack_htable_size
> >  			= (((nr_pages << PAGE_SHIFT) / 16384)
> >  			   / sizeof(struct hlist_head));
> > -		if (nr_pages > (4 * (1024 * 1024 * 1024 / PAGE_SIZE)))
> > -			nf_conntrack_htable_size = 65536;
> > +		if (BITS_PER_LONG >= 64 &&
> > +		    nr_pages > (4 * (1024 * 1024 * 1024 / PAGE_SIZE)))
> > +			nf_conntrack_htable_size = 262144;
> >  		else if (nr_pages > (1024 * 1024 * 1024 / PAGE_SIZE))
> > -			nf_conntrack_htable_size = 16384;
> [...]
> > +			nf_conntrack_htable_size = 65536;
> 
> With this formula, there seems to be a discontinuity between the
> proportional and fixed regimes:
> 64bits: 4GB/16k/8 = 32k, which gets bumped to 256k
> 32bits: 1GB/16k/4 = 16k, which gets bumped to 64k
> 
> Is this intentional ?

There is no science here.  This tries to pick a sane default setting,
thats all. Its not possible to pick one that works for everyone and everything.

32bit kernel can't access more than 1GB so I did not want to
increase that too much.

These are default settings, users should be free to pick any value they
like/need.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ