On Fri, Feb 03, 2017 at 01:35:50PM +0100, Florian Westphal wrote: > zones allow tracking multiple connections sharing identical tuples, > this is needed e.g. when tracking distinct vlans with overlapping ip > addresses (conntrack is l2 agnostic). > > Thus the zone has to be set before the packet is picked up by the > connection tracker. This is done by means of 'conntrack templates' which > are conntrack structures used solely to pass this info from one netfilter > hook to the next. > > The iptables CT target instantiates these connection tracking templates > once per rule, i.e. the template is fixed/tied to particular zone, can > be read-only and therefore be re-used by as many skbs simultaneously as > needed. > > We can't follow this model because we want to take the zone id from > an sreg at rule eval time so we could e.g. fill in the zone id from > the packets vlan id or a e.g. nftables key : value maps. > > To avoid cost of per packet alloc/free of the template, use a percpu > template 'scratch' object and use the refcount to detect the (unlikely) > case where the template is still attached to another skb (i.e., previous > skb was nfqueued ...). Applied, thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
