Alexey Dobriyan wrote: > On Thu, Sep 04, 2008 at 06:54:16PM +0200, Patrick McHardy wrote: >> [EMAIL PROTECTED] wrote: >>> Make untracked conntrack per-netns. Compare conntracks with relevant >>> untracked one. >>> >>> The following code you'll start laughing at this code: >>> >>> if (ct == ct->ct_net->ct.untracked) >>> ... >>> >>> let me remind you that ->ct_net is set in only one place, and never >>> overwritten later. >>> >>> All of this requires some surgery with headers, otherwise horrible circular >>> dependencies. And we lost nf_ct_is_untracked() as function, it became macro. >> I think you could avoid this mess by using a struct nf_conntrack >> for the untracked conntrack instead of struct nf_conn. It shouldn't >> make any difference since its ignored anyways. > > Ewww, can I?
I hope so :) A different possiblity suggest by Pablo some time ago would be to mark untracked packets in skb->nfctinfo and not attach a conntrack at all. > Regardless of netns, switching to > > struct nf_conntrack nf_conntrack_untracked; > > means we must be absolutely sure that every place which uses, say, > ct->status won't get untracked conntrack. > > For example, does setting IPS_NAT_DONE_MASK and IPS_CONFIRMED_BIT on > untracked conntracked really necessary? I don't think so, untracked conntracks are skipped early in the NAT table. > In conntrack_mt_v0() "ct->status" can be used even for untracked connection, > is this right? It looks that way, but its not right. I think it should return false for every match except on (untracked) state. _______________________________________________ Containers mailing list [EMAIL PROTECTED] https://lists.linux-foundation.org/mailman/listinfo/containers _______________________________________________ Devel mailing list Devel@openvz.org https://openvz.org/mailman/listinfo/devel