Re: [PATCH net-next] netfilter: conntrack: expose gc_scan_interval_max via sysctl

Next message: Jiri Olsa: "[PATCHv2 bpf-next] ftrace: Use hash argument for tmp_ops in update_ftrace_direct_mod"
Previous message: Arnd Bergmann: "[PATCH 3/3] KVM: arm64: tracing: add ftrace dependency"
In reply to: Prasanna Panchamukhi: "Re: [PATCH net-next] netfilter: conntrack: expose gc_scan_interval_max via sysctl"
Next in thread: Prasanna Panchamukhi: "Re: [PATCH net-next] netfilter: conntrack: expose gc_scan_interval_max via sysctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Florian Westphal

Date: Thu Mar 12 2026 - 08:39:14 EST

Prasanna S Panchamukhi <panchamukhi@xxxxxxxxxx> wrote:
> The conntrack garbage collection worker uses an adaptive algorithm that
> adjusts the scan interval based on the average timeout of tracked
> entries. The upper bound of this interval is hardcoded as
> GC_SCAN_INTERVAL_MAX (60 seconds).
>
> Expose the upper bound as a new sysctl,
> net.netfilter.nf_conntrack_gc_scan_interval_max, so it can be tuned at
> runtime without rebuilding the kernel. The default remains 60 seconds
> to preserve existing behavior. The sysctl is global and read-only in
> non-init network namespaces, consistent with nf_conntrack_max and
> nf_conntrack_buckets.

This was proposed before, see:

https://lore.kernel.org/netfilter-devel/aO-id5W6Tr7frdHN@xxxxxxxxx/
https://lore.kernel.org/netfilter-devel/aRsuU57juCvsMBKE@xxxxxxxxx/

I did not hear back wrt. the horizon cache.

I'm not 100% opposed to this, but I do wonder if we really can't do
better than the current avg strategy.