On Thu, Aug 21, 2008 at 07:06:37PM -0400, Jan Engelhardt wrote: > On Thursday 2008-08-21 18:04, adobriyan@xxxxxxxxx wrote: > > >Make untracked conntrack per-netns. > > Why? It does not store any useful information per se, it is > merely used to add a third type of ct, iow: > > (a) ct==NULL > (b) ct!=NULL > (c) ct==&untracked > > mmap(2)'s return value for example has something similar: > > (a) mmap(...)==NULL > (b) mmap(...)==MMAP_FAILED > (c) otherwise > > The untracked ct is a singleton, and should stay one, unless > there are further reasons not to do so. We wait for untracked ct refcount to drop to 1 back: /* wait until all references to nf_conntrack_untracked are dropped */ while (atomic_read(&nf_conntrack_untracked.ct_general.use) > 1) schedule(); Consequently it should be one per netns, otherwise netns A can prevent netns B from stopping. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
