On Wed, Jan 09, 2019 at 11:12:47PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Jan 09, 2019 at 05:19:34PM +0100, Florian Westphal wrote:
> > place them into the confirm one.
> >
> > Old:
> > hook (300): ipv4/6_help() first call helper, then seqadj.
> > hook (INT_MAX): confirm
> >
> > Now:
> > hook (INT_MAX): confirm, first call helper, then seqadj, then confirm
> >
> > Not having the extra call is noticeable in bechmarks.
> >
> > Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> > ---
> > Pablo,
> >
> > I was unable to find out why you made this split in the first place.
> > What use case breaks when there is no helper/seqadj at prio 300?
>
> IIRC NF_QUEUE from userspace helper would skip conntrack confirmation,
> but there's using such verdict in the conntrack-tool.
^
noone
> I would be fine if we just turn it into NF_DROP for this case and we
> get this patch merged upstream.
