On 20.09.2010 17:04, Changli Gao wrote: > On Thu, Sep 16, 2010 at 2:18 PM, Patrick McHardy <kaber@xxxxxxxxx> wrote: >> On 21.08.2010 00:49, Changli Gao wrote: >>> Since we don't change the tuple in the original direction, we can save it >>> in ct->tuplehash[IP_CT_DIR_REPLY].hnode.pprev for __nf_conntrack_confirm() >>> use. >> >> I like this idea. We could actually do the same for the reply tuple >> and invalidate the saved hash in case the reply tuple is changed >> (nf_conntrack_alter_reply()), which only happens when NAT is used. >> > > We can't do that, as the unconfirmed ct owned maybe dropped, and > pre-computing will wast CPU cycles in this case. Sure we can, dropping unconfirmed conntracks is a rare exception, not a common case. Even under DoS we usually drop *unassured* conntracks, which have already enterered the hash. If we're unable to do that, we won't even allocate a new conntrack. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
