On Wed, Jan 09, 2019 at 05:19:34PM +0100, Florian Westphal wrote: > place them into the confirm one. > > Old: > hook (300): ipv4/6_help() first call helper, then seqadj. > hook (INT_MAX): confirm > > Now: > hook (INT_MAX): confirm, first call helper, then seqadj, then confirm > > Not having the extra call is noticeable in bechmarks. > > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> > --- > Pablo, > > I was unable to find out why you made this split in the first place. > What use case breaks when there is no helper/seqadj at prio 300? IIRC NF_QUEUE from userspace helper would skip conntrack confirmation, but there's using such verdict in the conntrack-tool. I would be fine if we just turn it into NF_DROP for this case and we get this patch merged upstream.
