Am 21.09.2010 02:02, schrieb Changli Gao: > On Tue, Sep 21, 2010 at 1:08 AM, Patrick McHardy <kaber@xxxxxxxxx> wrote: >> >> Sure we can, dropping unconfirmed conntracks is a rare exception, >> not a common case. Even under DoS we usually drop *unassured* >> conntracks, which have already enterered the hash. If we're unable >> to do that, we won't even allocate a new conntrack. >> > > Even so, saving the hash of the reply tuple isn't a good idea. > > If NAT is turned on, the current code is: > > mangle the reply tuple -> compute the hash of the reply tuple -> > insert into the conntrack hash table. > > the new code is > > compute the hash of the reply tuple -> mangle the reply tuple -> > recompute the hash of the reply tuple -> insert into the conntrack > hash table. > > As you see, the hash computing is done twice, and we use more CPU > cycles than before. You're right of course, we actually don't compute the reply hash before inserting the conntrack into the hash table (except in a few NAT cases, but we can look at those later). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
