On Wed, 2017-03-08 at 13:49 +0100, Florian Westphal wrote: > These patches remove the percpu untracked objects, they get replaced > with a new (kernel internal) ctinfo state. > > This avoids reference counter operations for untracked packets and > removes the need to check a conntrack for the UNTRACKED status bit > before setting connmark, labels, etc. > > I checked with following rule set and things appear to work as > expected (i.e., ssh connections don't show up in conntrack -L): > > *raw > :PREROUTING ACCEPT [455:34825] > :OUTPUT ACCEPT [251:29555] > [775:63699] -A PREROUTING -p tcp -m tcp --dport 22 -j NOTRACK > [251:29555] -A OUTPUT -p tcp -m tcp --sport 22 -j NOTRACK > COMMIT > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP > [337:26377] -A INPUT -p tcp -m conntrack --ctstate UNTRACKED -m tcp --dport 22 -j ACCEPT > [0:0] -A INPUT -m conntrack --ctstate UNTRACKED > [102:13883] -A OUTPUT -p tcp -m conntrack --ctstate UNTRACKED -m tcp --sport 22 -j ACCEPT > [0:0] -A OUTPUT -m conntrack --ctstate UNTRACKED > COMMIT Very nice series Florian, thanks ! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
