[SRU,v3,J,K,L] netfilter: conntrack: adopt safer max chain length

From: Eric Dumazet <edumazet@google.com>

BugLink: https://bugs.launchpad.net/bugs/2011616

Customers using GKE 1.25 and 1.26 are facing conntrack issues
root caused to commit c9c3b6811f74 ("netfilter: conntrack: make
max chain length random").

Even if we assume Uniform Hashing, a bucket often reachs 8 chained
items while the load factor of the hash table is smaller than 0.5

With a limit of 16, we reach load factors of 3.
With a limit of 32, we reach load factors of 11.
With a limit of 40, we reach load factors of 15.
With a limit of 50, we reach load factors of 24.

This patch changes MIN_CHAINLEN to 50, to minimize risks.

Ideally, we could in the future add a cushion based on expected
load factor (2 * nf_conntrack_max / nf_conntrack_buckets),
because some setups might expect unusual values.

Fixes: c9c3b6811f74 ("netfilter: conntrack: make max chain length random")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit c77737b736ceb50fdf150434347dbd81ec76dbb1)
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
---
 net/netfilter/nf_conntrack_core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

On 3/16/23 11:09 PM, Khalid Elmously wrote:
> From: Eric Dumazet <edumazet@google.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/2011616
> 
> Customers using GKE 1.25 and 1.26 are facing conntrack issues
> root caused to commit c9c3b6811f74 ("netfilter: conntrack: make
> max chain length random").
> 
> Even if we assume Uniform Hashing, a bucket often reachs 8 chained
> items while the load factor of the hash table is smaller than 0.5
> 
> With a limit of 16, we reach load factors of 3.
> With a limit of 32, we reach load factors of 11.
> With a limit of 40, we reach load factors of 15.
> With a limit of 50, we reach load factors of 24.
> 
> This patch changes MIN_CHAINLEN to 50, to minimize risks.
> 
> Ideally, we could in the future add a cushion based on expected
> load factor (2 * nf_conntrack_max / nf_conntrack_buckets),
> because some setups might expect unusual values.
> 
> Fixes: c9c3b6811f74 ("netfilter: conntrack: make max chain length random")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> (cherry picked from commit c77737b736ceb50fdf150434347dbd81ec76dbb1)
> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
> ---
>   net/netfilter/nf_conntrack_core.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
> index ead11a9c261f..19e3afb23fda 100644
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -96,8 +96,8 @@ static DEFINE_MUTEX(nf_conntrack_mutex);
>   #define GC_SCAN_MAX_DURATION	msecs_to_jiffies(10)
>   #define GC_SCAN_EXPIRED_MAX	(64000u / HZ)
>   
> -#define MIN_CHAINLEN	8u
> -#define MAX_CHAINLEN	(32u - MIN_CHAINLEN)
> +#define MIN_CHAINLEN	50u
> +#define MAX_CHAINLEN	(80u - MIN_CHAINLEN)
>   
>   static struct conntrack_gc_work conntrack_gc_work;
>   
Acked-by: Tim Gardner <tim.gardner@canonical.com>

On Fri, 2023-03-17 at 01:09 -0400, Khalid Elmously wrote:
> From: Eric Dumazet <edumazet@google.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/2011616
> 
> Customers using GKE 1.25 and 1.26 are facing conntrack issues
> root caused to commit c9c3b6811f74 ("netfilter: conntrack: make
> max chain length random").
> 
> Even if we assume Uniform Hashing, a bucket often reachs 8 chained
> items while the load factor of the hash table is smaller than 0.5
> 
> With a limit of 16, we reach load factors of 3.
> With a limit of 32, we reach load factors of 11.
> With a limit of 40, we reach load factors of 15.
> With a limit of 50, we reach load factors of 24.
> 
> This patch changes MIN_CHAINLEN to 50, to minimize risks.
> 
> Ideally, we could in the future add a cushion based on expected
> load factor (2 * nf_conntrack_max / nf_conntrack_buckets),
> because some setups might expect unusual values.
> 
> Fixes: c9c3b6811f74 ("netfilter: conntrack: make max chain length random")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> (cherry picked from commit c77737b736ceb50fdf150434347dbd81ec76dbb1)
> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

Acked-by: Cengiz Can <cengiz.can@canonical.com>

> ---
>  net/netfilter/nf_conntrack_core.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
> index ead11a9c261f..19e3afb23fda 100644
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -96,8 +96,8 @@ static DEFINE_MUTEX(nf_conntrack_mutex);
>  #define GC_SCAN_MAX_DURATION	msecs_to_jiffies(10)
>  #define GC_SCAN_EXPIRED_MAX	(64000u / HZ)
>  
> -#define MIN_CHAINLEN	8u
> -#define MAX_CHAINLEN	(32u - MIN_CHAINLEN)
> +#define MIN_CHAINLEN	50u
> +#define MAX_CHAINLEN	(80u - MIN_CHAINLEN)
>  
>  static struct conntrack_gc_work conntrack_gc_work;
>  
> -- 
> 2.34.1
> 
>

On 17.03.23 06:09, Khalid Elmously wrote:
> From: Eric Dumazet <edumazet@google.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/2011616
> 
> Customers using GKE 1.25 and 1.26 are facing conntrack issues
> root caused to commit c9c3b6811f74 ("netfilter: conntrack: make
> max chain length random").
> 
> Even if we assume Uniform Hashing, a bucket often reachs 8 chained
> items while the load factor of the hash table is smaller than 0.5
> 
> With a limit of 16, we reach load factors of 3.
> With a limit of 32, we reach load factors of 11.
> With a limit of 40, we reach load factors of 15.
> With a limit of 50, we reach load factors of 24.
> 
> This patch changes MIN_CHAINLEN to 50, to minimize risks.
> 
> Ideally, we could in the future add a cushion based on expected
> load factor (2 * nf_conntrack_max / nf_conntrack_buckets),
> because some setups might expect unusual values.
> 
> Fixes: c9c3b6811f74 ("netfilter: conntrack: make max chain length random")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> (cherry picked from commit c77737b736ceb50fdf150434347dbd81ec76dbb1)
> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
> ---

Applied to kinetic,jammy:linux/master-next. Thanks.

-Stefan

>   net/netfilter/nf_conntrack_core.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
> index ead11a9c261f..19e3afb23fda 100644
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -96,8 +96,8 @@ static DEFINE_MUTEX(nf_conntrack_mutex);
>   #define GC_SCAN_MAX_DURATION	msecs_to_jiffies(10)
>   #define GC_SCAN_EXPIRED_MAX	(64000u / HZ)
>   
> -#define MIN_CHAINLEN	8u
> -#define MAX_CHAINLEN	(32u - MIN_CHAINLEN)
> +#define MIN_CHAINLEN	50u
> +#define MAX_CHAINLEN	(80u - MIN_CHAINLEN)
>   
>   static struct conntrack_gc_work conntrack_gc_work;
>

On Fri, Mar 17, 2023 at 01:09:19AM -0400, Khalid Elmously wrote:
> From: Eric Dumazet <edumazet@google.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/2011616

Already applied as part of upstream stable v6.2.7.