Re: [PATCH net-next v2] netfilter: conntrack: expose gc_scan_interval_max via sysctl

Next message: Wei Fang: "RE: [PATCH v4 net 0/2] net: enetc: safely reinitialize TX BD ring when it has unsent frames"
Previous message: Christian K&#xF6;nig: "Re: [RFC v2 PATCH 06/10] vfio/pci: Remove vfio_pci_zap_bars()"
In reply to: Florian Westphal: "Re: [PATCH net-next v2] netfilter: conntrack: expose gc_scan_interval_max via sysctl"
Next in thread: Prasanna Panchamukhi: "Re: [PATCH net-next v2] netfilter: conntrack: expose gc_scan_interval_max via sysctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pablo Neira Ayuso

Date: Fri Mar 13 2026 - 05:15:51 EST

On Fri, Mar 13, 2026 at 03:09:19AM +0100, Florian Westphal wrote:
> Prasanna S Panchamukhi <panchamukhi@xxxxxxxxxx> wrote:
> > The conntrack garbage collection worker uses an adaptive algorithm that
> > adjusts the scan interval based on the average timeout of tracked
> > entries. The upper bound of this interval is hardcoded as
> > GC_SCAN_INTERVAL_MAX (60 seconds).
>
> I already said that I'm not keen on this approach.
> Its a 'we can't do any better' type "solution".
>
> If anything I'd be more inclined to make a change that allows to
> more easily override the next_run computation via bpf.

It is regrettable that the request for this knob appears to be
intended to enable a potentially proprietary hardware offload
extension, implemented through a userspace daemon and a proprietary
SDK.

It's 2026, there is plenty of infrastructure to offload the connection
tracking upstream, such as act_ct.c and the flowtable.