netfilter: conntrack: adopt safer max chain length

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2189550
Upstream Status: commit c77737b

commit c77737b
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Mar 7 05:22:54 2023 +0000

    netfilter: conntrack: adopt safer max chain length

    Customers using GKE 1.25 and 1.26 are facing conntrack issues
    root caused to commit c9c3b68 ("netfilter: conntrack: make
    max chain length random").

    Even if we assume Uniform Hashing, a bucket often reachs 8 chained
    items while the load factor of the hash table is smaller than 0.5

    With a limit of 16, we reach load factors of 3.
    With a limit of 32, we reach load factors of 11.
    With a limit of 40, we reach load factors of 15.
    With a limit of 50, we reach load factors of 24.

    This patch changes MIN_CHAINLEN to 50, to minimize risks.

    Ideally, we could in the future add a cushion based on expected
    load factor (2 * nf_conntrack_max / nf_conntrack_buckets),
    because some setups might expect unusual values.

    Fixes: c9c3b68 ("netfilter: conntrack: make max chain length random")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Florian Westphal <fwestpha@redhat.com>

Author: fw-strlen

net/netfilter/nf_conntrack_core.c

@@ -96,8 +96,8 @@ static DEFINE_MUTEX(nf_conntrack_mutex);
 #define GC_SCAN_MAX_DURATION	msecs_to_jiffies(10)
 #define GC_SCAN_EXPIRED_MAX	(64000u / HZ)
 
-#define MIN_CHAINLEN	8u
-#define MAX_CHAINLEN	(32u - MIN_CHAINLEN)
+#define MIN_CHAINLEN	50u
+#define MAX_CHAINLEN	(80u - MIN_CHAINLEN)
 
 static struct conntrack_gc_work conntrack_gc_work;