Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On Tue, Nov 28, 2017 at 01:12:06PM +0100, Florian Westphal wrote:
> > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > > static int ctnetlink_flush_conntrack(struct net *net,
> > > @@ -1174,6 +1177,13 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
> > > nf_ct_put(ct);
> > > return -ENOENT;
> > > }
> > > + } else if (cda[CTA_ID64]) {
> > > + u64 id = ntohl(nla_get_be64(cda[CTA_ID64]));
> >
> > be64_to_cpu()?
> >
> > But at this point we already uniquely identified the conntrack entry
> > so the ID check appears to be unneeded?
> >
> > I never understood existing test either, so this remark isn't specific
> > to your patch.
>
> When the ID was incremental, not a memory address, you could use it to
> specifically refer to a conntrack through tuple + id.
>
> If a conntrack with tuple X is gone, then created again, you refer to
> the right object.
Yes, but why was that needed?!
I understand what it does, I don't understand the use case :)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
