On Tue, Sep 21, 2010 at 1:08 AM, Patrick McHardy <kaber@xxxxxxxxx> wrote: > > Sure we can, dropping unconfirmed conntracks is a rare exception, > not a common case. Even under DoS we usually drop *unassured* > conntracks, which have already enterered the hash. If we're unable > to do that, we won't even allocate a new conntrack. > Even so, saving the hash of the reply tuple isn't a good idea. If NAT is turned on, the current code is: mangle the reply tuple -> compute the hash of the reply tuple -> insert into the conntrack hash table. the new code is compute the hash of the reply tuple -> mangle the reply tuple -> recompute the hash of the reply tuple -> insert into the conntrack hash table. As you see, the hash computing is done twice, and we use more CPU cycles than before. -- Regards, Changli Gao(xiaosuo@xxxxxxxxx) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
