Re: [PATCH net-next v2] netfilter: conntrack: expose gc_scan_interval_max via sysctl

Next message: Sean Christopherson: "[BUG REPORT] crypto: ccp: Interrupting INIT_EX firmware writeback crashes host"
Previous message: Florian Fainelli: "Re: [PATCH net-next 3/6] net: bcmgenet: add basic XDP support (PASS/DROP)"
In reply to: Pablo Neira Ayuso: "Re: [PATCH net-next v2] netfilter: conntrack: expose gc_scan_interval_max via sysctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Prasanna Panchamukhi

Date: Fri Mar 13 2026 - 18:55:58 EST

On Fri, Mar 13, 2026 at 2:15 AM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>
> On Fri, Mar 13, 2026 at 03:09:19AM +0100, Florian Westphal wrote:
> > Prasanna S Panchamukhi <panchamukhi@xxxxxxxxxx> wrote:
> > > The conntrack garbage collection worker uses an adaptive algorithm that
> > > adjusts the scan interval based on the average timeout of tracked
> > > entries. The upper bound of this interval is hardcoded as
> > > GC_SCAN_INTERVAL_MAX (60 seconds).
> >
> > I already said that I'm not keen on this approach.
> > Its a 'we can't do any better' type "solution".
> >
> > If anything I'd be more inclined to make a change that allows to
> > more easily override the next_run computation via bpf.
>
> It is regrettable that the request for this knob appears to be
> intended to enable a potentially proprietary hardware offload
> extension, implemented through a userspace daemon and a proprietary
> SDK.
>
> It's 2026, there is plenty of infrastructure to offload the connection
> tracking upstream, such as act_ct.c and the flowtable.

Thank you Pablo, for the suggestion. We will look into adopting the
hardware offload feature soon.

Thanks,
Prasanna