| Message ID | 20210308153254.15678-1-pablo@netfilter.org |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | [conntrack-tools] conntrackd: set default hashtable buckets and max entries if not specified | expand |
On 3/8/21 4:32 PM, Pablo Neira Ayuso wrote: > Fall back to 65536 buckets and 262144 entries. > > It would be probably good to add code to autoadjust by reading > /proc/sys/net/netfilter/nf_conntrack_buckets and > /proc/sys/net/nf_conntrack_max. > > Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1491 > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > --- > src/read_config_yy.y | 6 ++++++ > 1 file changed, 6 insertions(+) > Thanks for the patch! Would it make sense to have all this logic in evaluate() in src/run.c?
On Tue, Mar 09, 2021 at 10:51:20AM +0100, Arturo Borrero Gonzalez wrote: > On 3/8/21 4:32 PM, Pablo Neira Ayuso wrote: > > Fall back to 65536 buckets and 262144 entries. > > > > It would be probably good to add code to autoadjust by reading > > /proc/sys/net/netfilter/nf_conntrack_buckets and > > /proc/sys/net/nf_conntrack_max. > > > > Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1491 > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > > --- > > src/read_config_yy.y | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > Thanks for the patch! > > Would it make sense to have all this logic in evaluate() in src/run.c? I think so. A patch to move it there would be fine. I suspect there might more missing sanity checks in the configuration file parser (options that are not set to default value, like hashsize and hashlimit).
diff --git a/src/read_config_yy.y b/src/read_config_yy.y index 31109c4de042..b215a729b716 100644 --- a/src/read_config_yy.y +++ b/src/read_config_yy.y @@ -1780,5 +1780,11 @@ init_config(char *filename) NF_NETLINK_CONNTRACK_DESTROY; } + /* default hashtable buckets and maximum number of entries */ + if (!CONFIG(hashsize)) + CONFIG(hashsize) = 65536; + if (!CONFIG(limit)) + CONFIG(limit) = 262144; + return 0; }
Fall back to 65536 buckets and 262144 entries. It would be probably good to add code to autoadjust by reading /proc/sys/net/netfilter/nf_conntrack_buckets and /proc/sys/net/nf_conntrack_max. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1491 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- src/read_config_yy.y | 6 ++++++ 1 file changed, 6 insertions(+)