On Tue 23 Apr 2024 at 15:05, Florian Westphal <fw@xxxxxxxxx> wrote: > Vlad Buslov <vladbu@xxxxxxxxxx> wrote: >> > --- >> > Vlad, do you remember why you added this test? >> >> I added it when I introduced UDP NEW connection offload. As far as I >> remember the concern was that since at the time early drop algorithm >> completely ignored all offloaded connections malicious user could fill >> the whole table by just sending a single packet per range of distinct 5 >> tuples and none of the resulting connections would be early dropped >> until they expire. > > Ok, so it was indeed this: > >> > and maybe was just a 'move-it-around' from the check in >> > early_drop_list, which would mean this was there from the >> > beginning. Doesn't change "i don't understand why this test >> > exists" though :-) > > In this case I think this change is fine, ie. remove offload > special treatment, its not needed. The change will also enable early dropping offloaded non-ASSURED connections for all other protocols though. > > Thanks for checking!