On Fri, Jul 28, 2017 at 11:22:04AM +0200, Florian Westphal wrote:
> Discussion during NFWS 2017 in Faro has shown that the current
> conntrack behaviour is unreasonable.
>
> Even if conntrack module is loaded on behalf of a single net namespace,
> its turned on for all namespaces, which is expensive. Commit
> 481fa373476 ("netfilter: conntrack: add nf_conntrack_default_on sysctl")
> attempted to provide an alternative to the 'default on' behaviour by
> adding a sysctl to change it.
>
> However, as Eric points out, the sysctl only becomes available
> once the module is loaded, and then its too late.
>
> So we either have to move the sysctl to the core, or, alternatively,
> change conntrack to become active only once the rule set requires this.
>
> This does the latter, conntrack is only enabled when a rule needs it.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
