Re: [PATCH nf 0/5] netfilter: conntrack: make zone id part of conntrack hash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Sep 08, 2021 at 02:28:33PM +0200, Florian Westphal wrote:
> This patch set makes the zone id part of the conntrack hash again.
> 
> First patch is a followup to
> d7e7747ac5c2496c9,
> "netfilter: refuse insertion if chain has grown too large".
> 
> Instead of a fixed-size limit, allow for some slack in the drop
> limit.  This makes it harder to extract information about hash
> table collisions/bucket overflows.
> 
> Second patch makes the zone id part of the tuple hash again.
> This was removed six years ago to allow split-zone support.
> 
> Last two patches add test cases for zone support with colliding
> tuples. First test case emulates split zones, where NAT is responsible
> to expose the overlapping networks and provide unique source ports via
> nat port translation.
> 
> Second test case exercises overlapping tuples in distinct zones.
> 
> Expectation is that all connection succeed (first self test) and
> that all insertions work (second self test).

Series applied, thanks.



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux