From: Florian Westphal <fw@strlen.de>
To: David Miller <davem@davemloft.net>
Cc: fw@strlen.de, nbd@nbd.name, pablo@netfilter.org,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH 00/30] Netfilter/IPVS updates for net-next
Date: Tue, 13 Mar 2018 16:39:24 +0100 [thread overview]
Message-ID: <20180313153924.GE31828@breakpoint.cc> (raw)
In-Reply-To: <20180313.113434.1173466843045633114.davem@davemloft.net>
David Miller <davem@davemloft.net> wrote:
[ flow tables ]
> Ok, that seems to constrain the exposure.
>
> We should talk at some point about how exposed conntrack itself is.
Sure, we can do that.
If you have specific scenarios (synflood, peer that opens
100k (legitimate) connections, perpetual-fin, etc) in mind let me know,
i do think that we could still do better in some cases.
next prev parent reply other threads:[~2018-03-13 15:39 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-12 17:58 [PATCH 00/30] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 01/30] netfilter: nf_tables: nf_tables_obj_lookup_byhandle() can be static Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 02/30] netfilter: nfnetlink_acct: remove useless parameter Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 03/30] netfilter: xt_cluster: get rid of xt_cluster_ipv6_is_multicast Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 04/30] netfilter: nf_conntrack_broadcast: remove useless parameter Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 05/30] netfilter: ipt_ah: return boolean instead of integer Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 06/30] netfilter: unlock xt_table earlier in __do_replace Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 07/30] netfilter: x_tables: check standard verdicts in core Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 08/30] netfilter: x_tables: check error target size too Pablo Neira Ayuso
2018-03-12 17:58 ` [PATCH 09/30] netfilter: x_tables: move hook entry checks into core Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 10/30] netfilter: x_tables: enforce unique and ascending entry points Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 11/30] netfilter: x_tables: cap allocations at 512 mbyte Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 12/30] netfilter: x_tables: limit allocation requests for blob rule heads Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 13/30] netfilter: x_tables: add counters allocation wrapper Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 14/30] netfilter: compat: prepare xt_compat_init_offsets to return errors Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 15/30] netfilter: compat: reject huge allocation requests Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 16/30] netfilter: x_tables: make sure compat af mutex is held Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 17/30] netfilter: x_tables: ensure last rule in base chain matches underflow/policy Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 18/30] netfilter: make xt_rateest hash table per net Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 19/30] netfilter: xt_limit: Spelling s/maxmum/maximum/ Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 20/30] netfilter: nf_flow_table: use IP_CT_DIR_* values for FLOW_OFFLOAD_DIR_* Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 21/30] netfilter: nf_flow_table: clean up flow_offload_alloc Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 22/30] ipv6: make ip6_dst_mtu_forward inline Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 23/30] netfilter: nf_flow_table: cache mtu in struct flow_offload_tuple Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 24/30] netfilter: nf_flow_table: rename nf_flow_table.c to nf_flow_table_core.c Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 25/30] netfilter: x_tables: fix build with CONFIG_COMPAT=n Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 26/30] ipvs: use true and false for boolean values Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 27/30] netfilter: nf_tables: handle rt0 and rt2 properly Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 28/30] netfilter: Refactor nf_conncount Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 29/30] netfilter: conncount: Support count only use case Pablo Neira Ayuso
2018-03-12 17:59 ` [PATCH 30/30] netfilter: nft_ct: add NFT_CT_{SRC,DST}_{IP,IP6} Pablo Neira Ayuso
2018-03-12 18:58 ` [PATCH 00/30] Netfilter/IPVS updates for net-next David Miller
2018-03-12 19:30 ` Felix Fietkau
2018-03-12 20:01 ` David Miller
2018-03-12 20:22 ` Felix Fietkau
2018-03-13 13:41 ` Florian Westphal
2018-03-13 15:34 ` David Miller
2018-03-13 15:39 ` Florian Westphal [this message]
2018-03-14 18:38 ` Pablo Neira Ayuso
2018-03-16 16:23 ` David Miller
2018-03-16 16:39 ` Guy Shattah
2018-03-16 16:41 ` David Miller
-- strict thread matches above, loose matches on Subject: below --
2015-09-22 9:13 Pablo Neira Ayuso
2015-09-22 20:12 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180313153924.GE31828@breakpoint.cc \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=nbd@nbd.name \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.