On Tue, Aug 22, 2023 at 06:30:31AM +0200, Alexandr Nedvedicky wrote:
>     Currently we have something like this:
>       { mbuf, pcb } <-> state key <-> { state, state ... }
>     with this diff we get to:
>       { mbuf, pcb } <-> state <-> state key
>     Basically when we do process packet we are interested in state
>     not state key itself.

The PCB holds the 4 tupel IP/Port/SRC/DST, and the state key uses
that also.  So we have a 1:1 relation.  That why the linking is
that way.

The mbuf linking is just to transport the information up and down
the stack to get the link with the first packet.  There are corner
cases that need this.  Especially port reuse and connection abort
is tricky.

I always forget why state key to states is a 1:n relation.  But I
expect touble with connectionless divert rules when we change the
PCB with state linking to 1:n.  Idea is to keep one PCB and one
state key in sync.

For the same reason we have sk_reverse.  It links both state keys
1:1.  Like sk_inp links PCB and state keys 1:1.  I expect sublte
breakage in our firewall product if we change that.


Reply via email to