[PATCH nf-next 0/2] netfilter: untracked object removal

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Subject: [PATCH nf-next 0/2] netfilter: untracked object removal
Date: Wed,  8 Mar 2017 13:49:48 +0100	[thread overview]
Message-ID: <20170308124950.9369-1-fw@strlen.de> (raw)

These patches remove the percpu untracked objects, they get replaced
with a new (kernel internal) ctinfo state.

This avoids reference counter operations for untracked packets and
removes the need to check a conntrack for the UNTRACKED status bit
before setting connmark, labels, etc.

I checked with following rule set and things appear to work as
expected (i.e., ssh connections don't show up in conntrack -L):

*raw
:PREROUTING ACCEPT [455:34825]
:OUTPUT ACCEPT [251:29555]
[775:63699] -A PREROUTING -p tcp -m tcp --dport 22 -j NOTRACK
[251:29555] -A OUTPUT -p tcp -m tcp --sport 22 -j NOTRACK
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
[337:26377] -A INPUT -p tcp -m conntrack --ctstate UNTRACKED -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -m conntrack --ctstate UNTRACKED
[102:13883] -A OUTPUT -p tcp -m conntrack --ctstate UNTRACKED -m tcp --sport 22 -j ACCEPT
[0:0] -A OUTPUT -m conntrack --ctstate UNTRACKED
COMMIT

next             reply	other threads:[~2017-03-08 13:49 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-08 12:49 Florian Westphal [this message]
2017-03-08 12:49 ` [PATCH nf-next 1/2] netfilter: kill the fake untracked conntrack objects Florian Westphal
2017-03-08 12:49 ` [PATCH nf-next 2/2] netfilter: remove nf_ct_is_untracked Florian Westphal
2017-03-08 16:29 ` [PATCH nf-next 0/2] netfilter: untracked object removal Eric Dumazet

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170308124950.9369-1-fw@strlen.de \
    --to=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.