From patchwork Wed Mar 25 12:45:26 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 4852 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:2f09:b0:83c:d90d:321 with SMTP id fv9csp658658mab; Wed, 25 Mar 2026 07:21:51 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCU/6FEOUU90XTuxzrn9mljgqcso8I0PLiq6ZVrKK+GlS9dNwZKQ9TptT6W7rkH0cbQElG830e41to4=@openvpn.net X-Received: by 2002:a05:6820:1893:b0:67d:b2f2:6e72 with SMTP id 006d021491bc7-67dff3ce6efmr1923287eaf.13.1774448511295; Wed, 25 Mar 2026 07:21:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1774448511; cv=none; d=google.com; s=arc-20240605; b=UkWWA+PE2GAe/jGLIe8lWZBZDs5FWbX7o5/s/Q05fWIWFydpcXQV34BYu0J32Nfrfj lnoEg2HkZsT6N+bCQ1tW1nkoc6q1GHyNCTzn2mN9Z48LaEJNs0eWdkLKJl7qBogxC4tN AI+0rH5U/pyhHnZrtsVEwOEDDTUj3gsqE2k85tR3XmxCS2gotmBXJ22fsHQUzkq1YiHU 4AmFrUNTURWPg71AvhaLQMfSG8QVoZ3wXg+N+kg9FlvE0sutFOEHBwF95LgJpnyIj76F JQH4aMkjV++C7ShIUXv1hLziEgYUjO0RGszkDTdlXRfZ4HzTOLgiB/BxWklxbB+yyz+9 e6Cw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=kYjfG/IHPFh1qcNoD7NSF0Ad7QEdLpGR/I3CzMdNKlI=; fh=10tBNjXj/wkJoIBSfHvI5xr4knRr+m5zCVrzABMRuHI=; b=kJCEZxOsBr49Iy9dMxxw4KuLu/hC0zLRg2N/DNl+ZLWQrkI/0WLCwXXh91SiV9yWZQ e/T9R2OMDMeUg+iCVCyCryuvATNabxCGtx4l+HamGw3L+GW4hfrr2d2lGcNemOVCZKT1 tlaJTxgRInJU5wogyAfG9dWx4xq4gn3ayanQ/rJppdXFypTGSgHDcCAoTB13Q/PWSdbW evq022L3jbhJGO2B3eOlUJuB0kJqHPvJtKAb4t0ZeIacon+ew8fcwhPxjdY5DRq7e3AG tmmkDIRDwbeFf52LqXpxXyfERgknYnUZbaWI9tTrQ6kGD7+hkBxarfXvjm9G2pUfT5V0 98GA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="Dv5Z/Q9l"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="F/Gpy90L"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=MOmfVrQR; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-41c148a79dfsi11350084fac.65.2026.03.25.07.21.51 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Mar 2026 07:21:51 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b="Dv5Z/Q9l"; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="F/Gpy90L"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=MOmfVrQR; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:Cc: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=kYjfG/IHPFh1qcNoD7NSF0Ad7QEdLpGR/I3CzMdNKlI=; b=Dv5Z/Q9lftKPc1c7zSRMi1JwqI s7ULcxX9uff8GqPs0rCQJqYJwmrO51h1e0pJlzyKwK47gbQXiG9y3JBZ4RkJ+feq1la87QpwTi3HG AYbwkLFBfLkqnYGSEg6d67nCvyNi4Vfo0V0pOh7KujhMCIDuz9pZakZL1wi+XB0V1tqI=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1w5P7E-00010V-P5; Wed, 25 Mar 2026 14:21:48 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1w5P7D-00010P-L3 for openvpn-devel@lists.sourceforge.net; Wed, 25 Mar 2026 14:21:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=k0og89UT9A3BuTKdTuwf40qz/dsYD65Lnl6QJa+DOGY=; b=F/Gpy90LCqns1lWfvb/JX/7RVx d1KVdf4uzVc9HP4XXSRzwGoqvDnhJvwjnvIx+Nue57KBlVbkX/T/nxew4a/IfvqPCPvwg/sKMB1xQ 1DF//GQcIDlKvwMarQsRJ6tRDsUElvD4UXFwkvGaLsxg2tetRJJDcXcWQNty9GbUa2aM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=k0og89UT9A3BuTKdTuwf40qz/dsYD65Lnl6QJa+DOGY=; b=MOmfVrQRw5YVsPJP77PKDuiWhU OYQskAoadPnl9PBMZ7kp2sHjvOSB073BEQUDvKpEudc4BAQ6PxoG1SoAnXinL93VrHXfcADrBvrVL x7v2FIrAYOE9XTFUS1D80Ahc5pdgdNxeL84T0Y1Z5rpk1zxeFcPvSChx4bWENe5j2YTI=; Received: from mout-p-102.mailbox.org ([80.241.56.152]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1w5P6z-0007HX-Qo for openvpn-devel@lists.sourceforge.net; Wed, 25 Mar 2026 14:21:47 +0000 Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:b231:465::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4fgmq12v7Hz9vgN; Wed, 25 Mar 2026 13:45:49 +0100 (CET) From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Wed, 25 Mar 2026 13:45:26 +0100 Message-ID: <20260325124526.124049-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe The default of 256 seems quite low as with (at least) 1024 possible entries (the --max-clients default setting) we have a guaranteed collisions. Using 4 times the number of possible entries for real a [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [80.241.56.152 listed in wl.mailspike.net] X-Headers-End: 1w5P6z-0007HX-Qo Subject: [Openvpn-devel] [PATCH v7] Increase default size of internal hash maps to 4 * --max-clients X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1860644122128420632?= X-GMAIL-MSGID: =?utf-8?q?1860644122128420632?= From: Arne Schwabe The default of 256 seems quite low as with (at least) 1024 possible entries (the --max-clients default setting) we have a guaranteed collisions. Using 4 times the number of possible entries for real addresses should reduce collisions quite a bit while also leaving some headroom for the virtual addresses hash where a client might have more than one address. A reason to keep the limit so low are the memory requirements. Each bucket has the size of one linked-list pointer (4 byte or 32 bit and 8 byte for 64 bit). So 256 buckets use 1 or 2 kB while 4096 will use 16 kB or 32 kB. When the current limit was set 20 years ago this might have been a meaningful memory saving but today the collision probability is more important. Change-Id: Ia699b0dfa407ac377970bb130434298eaaec592b Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1563 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1563 This mail reflects revision 7 of this Change. Acked-by according to Gerrit (reflected above): Antonio Quartulli diff --git a/doc/man-sections/advanced-options.rst b/doc/man-sections/advanced-options.rst index e1115e4..73ca44a 100644 --- a/doc/man-sections/advanced-options.rst +++ b/doc/man-sections/advanced-options.rst @@ -36,7 +36,8 @@ hash-size r v - By default, both tables are sized at 256 buckets. + By default, both tables are sized at 4 times ``--max-clients`` buckets. + With the default of 1024 of ``--max-clients`` this gives 4096 buckets. --bcast-buffers n Allocate ``n`` buffers for broadcast datagrams (default :code:`256`). diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 03ce651..eb8e273 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -414,7 +414,7 @@ iroute-ipv6 ipv6addr/bits --max-clients n - Limit server to a maximum of ``n`` concurrent clients. + Limit server to a maximum of ``n`` concurrent clients. Defaults to 1024. --max-routes-per-client n Allow a maximum of ``n`` internal routes per client (default diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 1db781d..24f2407 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -849,8 +849,6 @@ #endif o->vlan_accept = VLAN_ALL; o->vlan_pvid = 1; - o->real_hash_size = 256; - o->virtual_hash_size = 256; o->n_bcast_buf = 256; o->tcp_queue_limit = 64; o->max_clients = 1024; @@ -3724,6 +3722,22 @@ gc_free(&gc); } #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */ +/** + * Sets the internal hash maps sizes according to the max_clients + * + */ +static void +helper_hashmap_sizes(struct options *o) +{ + if (!o->real_hash_size) + { + o->real_hash_size = 4 * o->max_clients; + } + if (!o->virtual_hash_size) + { + o->virtual_hash_size = 4 * o->max_clients; + } +} static void options_postprocess_mutate(struct options *o, struct env_set *es) @@ -3739,6 +3753,11 @@ helper_keepalive(o); helper_tcp_nodelay(o); + if (o->mode == MODE_SERVER) + { + helper_hashmap_sizes(o); + } + options_postprocess_setdefault_ncpciphers(o); options_set_backwards_compatible_options(o); options_process_mutate_prf(o);