netfilter: conntrack: allow increasing bucket size via sysctl too
No need to restrict this to module parameter. We export a copy of the real hash size -- when user alters the value we allocate the new table, copy entries etc before we update the real size to the requested one. This is also needed because the real size is used by concurrent readers and cannot be changed without synchronizing the conntrack generation seqcnt. We only allow changing this value from the initial net namespace. Tested using http-client-benchmark vs. httpterm with concurrent while true;do echo $RANDOM > /proc/sys/net/netfilter/nf_conntrack_buckets done Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Florian Westphal
committed by
Pablo Neira Ayuso
Pablo Neira Ayuso
parent
8eee54be73
commit
3183ab8997
@@ -7,12 +7,13 @@ nf_conntrack_acct - BOOLEAN
|
||||
Enable connection tracking flow accounting. 64-bit byte and packet
|
||||
counters per flow are added.
|
||||
|
||||
nf_conntrack_buckets - INTEGER (read-only)
|
||||
nf_conntrack_buckets - INTEGER
|
||||
Size of hash table. If not specified as parameter during module
|
||||
loading, the default size is calculated by dividing total memory
|
||||
by 16384 to determine the number of buckets but the hash table will
|
||||
never have fewer than 32 and limited to 16384 buckets. For systems
|
||||
with more than 4GB of memory it will be 65536 buckets.
|
||||
This sysctl is only writeable in the initial net namespace.
|
||||
|
||||
nf_conntrack_checksum - BOOLEAN
|
||||
0 - disabled
|
||||
|
||||
Reference in New Issue
Block a user