> >From: pablo@xxxxxxxxxxxxx >Date: Wed, 9 May 2012 13:33:03 +0200 > >> This is a second batch of netfilter updates for net-next, they contain: >> >> * The new HMARK target from Hans Schillstrom. It took lots of spins >> to get this into shape. This target provides a hash-based packet / flow >> pre-classifier for iptables that can be used to distribute packets >> / flows between uplinks and backend servers. It provides to modes, one >> that relies on conntrack, and one that is stateless per-packet. >> >> * Byte-based cost calculation for the hashlimit match, to detect when >> a host consumes more bandwidth than expected. This patch from Florian >> Westphal. >> >> You can pull these changes from: >> >> git://1984.lsi.us.es/net-next > >Pulled. > >Two suggested improvements: > >1) The HMARK hash is quite expensive, because it uses a modulus. > > Consider adjusting it to use the usual trick: > > ((u64)(HASH_VAL * HASH_SIZE)) >> 32 > > so that this can be a multiply instead of a modulus. That's true >2) XT_HASHLIMIT_MAX is cumbersome. > > The canonical way to validate if the set bits are in a > valid range is to have a "_ALL" macro, and test: > > if (val & ~XT_HASHLIMIT_ALL) > goto err; > > or similar. > Thanks David I'll fix it Regards Hans Schillstrom -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
