Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Thu, Nov 15, 2012 at 04:55:12PM +0100, Florian Westphal wrote: > > Changes since RFCv2: > > - make it a variable-size extension and remove dynamic > > reallocation of the label array > > - add ctnetlink support for receiving/setting labels > > - limit to 128 instead of 1k labels due to limited extension > > space (128 is more than enough for now, so this is no problem). > > At a quick glance I like this round, you got this simplified :-). > > My only concern is that (if I'm not missing anything) it > inconditionally add the extension even if we don't need it. Its conditional: words = ACCESS_ONCE(net->ct.label_words); if (words == 0 || WARN_ON_ONCE(words > 8)) return NULL; cl_ext = nf_ct_ext_add_length(ct, NF_CT_EXT_LABELS, words * sizeof(long),.. xt_connlabel increases "label_words" to a non-zero value based on the highest bit it saw so far. So e.g. when bit 32 is requested, a 32-bit machine kernel will set words to 2, and a 64 bit kernel to 1, thus turning the extension on for new connections. The only drawback is that when you add a connlabel rule for bits 127, then for bit 1, then delete the first rule again words will be larger than one. But i think this ok (I don't want to add per-bit refcountr :-) ) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
