On Tue, Aug 22, 2023 at 06:30:31AM +0200, Alexandr Nedvedicky wrote: > Currently we have something like this: > > { mbuf, pcb } <-> state key <-> { state, state ... } > > with this diff we get to: > > { mbuf, pcb } <-> state <-> state key > > Basically when we do process packet we are interested in state > not state key itself.
The PCB holds the 4 tupel IP/Port/SRC/DST, and the state key uses that also. So we have a 1:1 relation. That why the linking is that way. The mbuf linking is just to transport the information up and down the stack to get the link with the first packet. There are corner cases that need this. Especially port reuse and connection abort is tricky. I always forget why state key to states is a 1:n relation. But I expect touble with connectionless divert rules when we change the PCB with state linking to 1:n. Idea is to keep one PCB and one state key in sync. For the same reason we have sk_reverse. It links both state keys 1:1. Like sk_inp links PCB and state keys 1:1. I expect sublte breakage in our firewall product if we change that. bluhm