leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

netfilter: conntrack: adjust nf_conntrack_buckets default value

Browse Source 
Manually bumping either nf_conntrack_buckets or nf_conntrack_max has
become a common task as our Linux servers tend to serve more and more
clients/applications, so let's adjust nf_conntrack_buckets this to a
more updated value.

Now for systems with more than 4GB of memory, nf_conntrack_buckets
becomes 65536 instead of 16384, resulting in nf_conntrack_max=256k
entries.

Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Marcelo Leitner 2014-12-03 17:30:19 -02:00 committed by Pablo Neira Ayuso
parent f96fe22567
commit 88eab472ec
2 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Documentation/networking/nf_conntrack-sysctl.txt
View File

@ -11,7 +11,8 @@ nf_conntrack_buckets - INTEGER (read-only)
Size of hash table. If not specified as parameter during module Size of hash table. If not specified as parameter during module
loading, the default size is calculated by dividing total memory loading, the default size is calculated by dividing total memory
by 16384 to determine the number of buckets but the hash table will by 16384 to determine the number of buckets but the hash table will
never have fewer than 32 or more than 16384 buckets. never have fewer than 32 and limited to 16384 buckets. For systems
with more than 4GB of memory it will be 65536 buckets.
nf_conntrack_checksum - BOOLEAN nf_conntrack_checksum - BOOLEAN
0 - disabled 0 - disabled

11
net/netfilter/nf_conntrack_core.c
View File

@ -1624,13 +1624,18 @@ int nf_conntrack_init_start(void)
for (i = 0; i < CONNTRACK_LOCKS; i++) for (i = 0; i < CONNTRACK_LOCKS; i++)
spin_lock_init(&nf_conntrack_locks[i]); spin_lock_init(&nf_conntrack_locks[i]);
/* Idea from tcp.c: use 1/16384 of memory. On i386: 32MB
* machine has 512 buckets. >= 1GB machines have 16384 buckets. */
if (!nf_conntrack_htable_size) { if (!nf_conntrack_htable_size) {
/* Idea from tcp.c: use 1/16384 of memory.
* On i386: 32MB machine has 512 buckets.
* >= 1GB machines have 16384 buckets.
* >= 4GB machines have 65536 buckets.
*/
nf_conntrack_htable_size nf_conntrack_htable_size
= (((totalram_pages << PAGE_SHIFT) / 16384) = (((totalram_pages << PAGE_SHIFT) / 16384)
/ sizeof(struct hlist_head)); / sizeof(struct hlist_head));
if (totalram_pages > (1024 * 1024 * 1024 / PAGE_SIZE)) if (totalram_pages > (4 * (1024 * 1024 * 1024 / PAGE_SIZE)))
nf_conntrack_htable_size = 65536;
else if (totalram_pages > (1024 * 1024 * 1024 / PAGE_SIZE))
nf_conntrack_htable_size = 16384; nf_conntrack_htable_size = 16384;
if (nf_conntrack_htable_size < 32) if (nf_conntrack_htable_size < 32)
nf_conntrack_htable_size = 32; nf_conntrack_htable_size = 32;