Phil Oester wrote:
On Sat, Nov 17, 2007 at 08:48:12PM +0100, Patrick McHardy wrote:
The only downside I see is that it adds another 4 bytes to the conntrack
structure and distributions are probably going to enable it, like
everything else.
Yep, that's a problem.
It would be nice if we could put this in a ct_extend
structure, but that would mean you're only able to set it for new
connections. What do you think about this?
Complicates my life, but is the Right Thing. I'll work on this.
Should we be considering the same for mark/secmark?
That would be incompatible to todays behaviour, so I think no.
We could of course consider making ct_extend work for confirmed
conntracks, for thats a lot more complicated without adding
extra locking everywhere :) What would work though is to specify
which connections will have manually managed timeouts while they're
unconfirmed (either through a target or by registering a prealloc
type, so we allocate accordingly), and only allow to change the
settings of confirmed connections.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
