On Thu, Sep 04, 2008 at 06:54:16PM +0200, Patrick McHardy wrote:
> adobriyan@xxxxxxxxx wrote:
>> Make untracked conntrack per-netns. Compare conntracks with relevant
>> untracked one.
>>
>> The following code you'll start laughing at this code:
>>
>> if (ct == ct->ct_net->ct.untracked)
>> ...
>>
>> let me remind you that ->ct_net is set in only one place, and never
>> overwritten later.
>>
>> All of this requires some surgery with headers, otherwise horrible circular
>> dependencies. And we lost nf_ct_is_untracked() as function, it became macro.
>
> I think you could avoid this mess by using a struct nf_conntrack
> for the untracked conntrack instead of struct nf_conn. It shouldn't
> make any difference since its ignored anyways.
Ewww, can I?
Regardless of netns, switching to
struct nf_conntrack nf_conntrack_untracked;
means we must be absolutely sure that every place which uses, say,
ct->status won't get untracked conntrack.
For example, does setting IPS_NAT_DONE_MASK and IPS_CONFIRMED_BIT on
untracked conntracked really necessary?
In conntrack_mt_v0() "ct->status" can be used even for untracked connection,
is this right?
>> struct netns_ct {
>> atomic_t count;
>> @@ -12,5 +13,7 @@ struct netns_ct {
>> struct hlist_head *expect_hash;
>> int expect_vmalloc;
>> struct hlist_head unconfirmed;
>> + /* Fake conntrack entry for untracked connections */
>> + struct nf_conn untracked;
>> };
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
