Re: [PATCH 20/38] netns ct: NOTRACK in netns

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Sep 04, 2008 at 06:54:16PM +0200, Patrick McHardy wrote:
> adobriyan@xxxxxxxxx wrote:
>> Make untracked conntrack per-netns. Compare conntracks with relevant
>> untracked one.
>>
>> The following code you'll start laughing at this code:
>>
>> 	if (ct == ct->ct_net->ct.untracked)
>> 		...
>>
>> let me remind you that ->ct_net is set in only one place, and never
>> overwritten later.
>>
>> All of this requires some surgery with headers, otherwise horrible circular
>> dependencies. And we lost nf_ct_is_untracked() as function, it became macro.
>
> I think you could avoid this mess by using a struct nf_conntrack
> for the untracked conntrack instead of struct nf_conn. It shouldn't
> make any difference since its ignored anyways.

Ewww, can I?

Regardless of netns, switching to

	struct nf_conntrack nf_conntrack_untracked;

means we must be absolutely sure that every place which uses, say,
ct->status won't get untracked conntrack.

For example, does setting IPS_NAT_DONE_MASK and IPS_CONFIRMED_BIT on
untracked conntracked really necessary?

In conntrack_mt_v0() "ct->status" can be used even for untracked connection,
is this right?

>>  struct netns_ct {
>>  	atomic_t		count;
>> @@ -12,5 +13,7 @@ struct netns_ct {
>>  	struct hlist_head	*expect_hash;
>>  	int			expect_vmalloc;
>>  	struct hlist_head	unconfirmed;
>> +	/* Fake conntrack entry for untracked connections */
>> +	struct nf_conn		untracked;
>>  };

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux