Le vendredi 20 août 2010 à 22:53 +0800, Changli Gao a écrit : > Since we don't change the tuple in the original direction, we can save it > in ct->tuplehash[IP_CT_DIR_REPLY].hnode.pprev for __nf_conntrack_confirm() > use. > > __hash_conntrack() is split into two steps: ____hash_conntrack() is used > to get the raw hash, and __hash_bucket() is used to get the bucket id. > > In SYN-flood case, early_drop() doesn't need to recompute the hash again. > > Signed-off-by: Changli Gao <xiaosuo@xxxxxxxxx> > --- Hmm... so to accept a few more SYN packets per second in SYNFLOOD attack, we slow a bit normal operations ? (adding one test on each packet going through conntrack) If yes (I dont think we should, hackers are stronger than you anyway, just face it) v4: __read_mostly on nf_conntrack_rnd What would happen if we let the initialization of nf_conntrack_rnd only in the insertion case (like currently done) ? Only the first packet received on the machine/conntrack might be hashed on a wrong slot. Is it a big deal ? If yes, maybe find a way to recompute the hash in this case, instead of reusing 'wrong' one ? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
