On Wed, Sep 08, 2021 at 02:28:33PM +0200, Florian Westphal wrote: > This patch set makes the zone id part of the conntrack hash again. > > First patch is a followup to > d7e7747ac5c2496c9, > "netfilter: refuse insertion if chain has grown too large". > > Instead of a fixed-size limit, allow for some slack in the drop > limit. This makes it harder to extract information about hash > table collisions/bucket overflows. > > Second patch makes the zone id part of the tuple hash again. > This was removed six years ago to allow split-zone support. > > Last two patches add test cases for zone support with colliding > tuples. First test case emulates split zones, where NAT is responsible > to expose the overlapping networks and provide unique source ports via > nat port translation. > > Second test case exercises overlapping tuples in distinct zones. > > Expectation is that all connection succeed (first self test) and > that all insertions work (second self test). Series applied, thanks.