Re: [PATCH net-next] netfilter: conntrack: expose gc_scan_interval_max via sysctl

Next message: Pranjal Shrivastava: "Re: [PATCH 02/14] iommu: Implement IOMMU core liveupdate skeleton"
Previous message: Viacheslav Dubeyko: "Re: [PATCH v4] hfs: Validate CNIDs in hfs_read_inode"
In reply to: Pablo Neira Ayuso: "Re: [PATCH net-next] netfilter: conntrack: expose gc_scan_interval_max via sysctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Florian Westphal

Date: Thu Mar 12 2026 - 19:10:33 EST

Prasanna Panchamukhi <panchamukhi@xxxxxxxxxx> wrote:
> Our primary goal is to cap the maximum time taken by the GC to clean
> up expired entries. We rely on user-space notifications to clean up
> these entries from the hardware, so ensuring a predictable upper bound
> is important for our use case.

Sure, but why can't we try to give a better default behavior?

while true; conntrack -L >/dev/null;done

basically does what you want already (but in a dumb way).

> Regarding the adaptive strategy, we are using this sysctl to address
> environments where the current average-based calculation delays the
> cleanup of short-lived entries.

Yes, and I did propose to adapt the existing strategy to provide more
timely notifications.