Hi Jozsef, On Tue, Feb 21, 2012 at 04:06:59PM +0100, Jozsef Kadlecsik wrote: > Or do I miss something else here? I just noticed one problem. With your approach, we may lose race if one packet inserts same conntrack entry while we're adding one conntrack. Thus resulting in two conntracks with the same tuples in the table. One possible solution would be to check if it already exists before adding it to the list, but this will add too many extra cycles for each conntrack that is added via ctnetlink. I'm also considering disabling early_drop from ctnetlink and to return -ENOMEM instead. Not sure if it makes sense the early drop mechanism via ctnetlink. If we hit ENOMEM from user-space while adding one new conntrack, we can iterate over the table and delete conntrack based on some criteria, then retry. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
