git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 25 Mar 2026 13:11:01 +0000 (14:11 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 26 Mar 2026 12:18:31 +0000 (13:18 +0100)
commit	fafdd92b9e30fe057740c5bb5cd4f92ecea9bf26
tree	4ff969e0572149d842885022768dd6efe726410d	tree \| snapshot
parent	9d3f027327c2fa265f7f85ead41294792c3296ed	commit \| diff

netfilter: nft_set_rbtree: revisit array resize logic

Chris Arges reports high memory consumption with thousands of
containers, this patch revisits the array allocation logic.

For anonymous sets, start by 16 slots (which takes 256 bytes on x86_64).
Expand it by x2 until threshold of 512 slots is reached, over that
threshold, expand it by x1.5.

For non-anonymous set, start by 1024 slots in the array (which takes 16
Kbytes initially on x86_64). Expand it by x1.5.

Use set->ndeact to subtract deactivated elements when calculating the
number of the slots in the array, otherwise the array size array gets
increased artifically. Add special case shrink logic to deal with flush
set too.

The shrink logic is skipped by anonymous sets.

Use check_add_overflow() to calculate the new array size.

Add a WARN_ON_ONCE check to make sure elements fit into the new array
size.

Reported-by: Chris Arges <carges@cloudflare.com>
Fixes: 7e43e0a1141d ("netfilter: nft_set_rbtree: translate rbtree to array for binary search")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>