From: Patrick McHardy <kaber@trash.net>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Philip Craig <philipc@snapgear.com>,
Jozsef Kadlecsik <kadlec@netfilter.org>,
netfilter-devel@lists.netfilter.org
Subject: Re: [RFC] Die to NOTRACK/TRACE, long live MARK!
Date: Sat, 22 May 2004 16:57:36 +0200 [thread overview]
Message-ID: <40AF6A60.70406@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.33.0405211416341.8045-100000@blackhole.kfki.hu>
Jozsef Kadlecsik wrote:
> Hm. Actually, as we already use a bit in nfcache for TRACE, we could
> reserve bits generally:
>
> #define NFC_HOOKS_MASK 0x0000FFFF
> #define NFC_FLAGS_MASK 0xFFFF0000
>
> /* Special netfilter flags */
>
> #define NFC_PKT_FLAGS_MASK 0x00FF0000
> #define NFC_CT_FLAGS_MASK 0xFF000000
>
> #define NFC_FLAG_TRACE 0x00010000
> #define NFC_FLAG_NOTRACK 0x00020000
> #define NFC_FLAG_CT_TCP_SYNRST 0x01000000
>
> The lower half could be manipulated by MARK while the upper half by
> CONNMARK. But the latter would require a new element in ip_conntrack
> itself and I wouldn' really like to make it bigger.
I like the idea for MARK, but why should we manipulate nfcache from
CONNMARK, and not let the users of the bits get them directly from
struct ip_conntrack (f.i. CT_TCP_SYNRST).
> Do we really need an unsigned long to store the status? :-)
I always thought we would, because set_bit and test_bit take unsigned
long *, but I'm not sure anymore if that really means we can't use
something smaller.
But good news, I'm currently busy shrinking struct ip_conntrack (I bet
myself I could shrink it 30% within 24 hours). I'm already at 28% ;)
-8bytes replacing struct ip_nat_hash by struct list_head because of two
saved conntrack pointers
-20bytes replacing struct nf_ct_info array by new value in struct
sk_buff indicating relation between skb and conntrack .. maybe we could
also put this in nfcache.
-56bytes dynamically allocating helper data, but crashes with NAT atm
I see 4 more bytes by using u_int16_t for initialized and num_manips in
struct ip_nat_info, and maybe I can also squeeze masq_index in there.
>
>
>>PS: Joszef, I changed your address to @netfilter.org, your mailserver
>>doesn't like me.
>
>
> I whitelisted you, sorry for the inconvenience.
Thanks.
Regards
Patrick
next prev parent reply other threads:[~2004-05-22 14:57 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-05-19 21:30 [RFC] Die to NOTRACK/TRACE, long live MARK! Jozsef Kadlecsik
2004-05-20 10:48 ` Pablo Neira
2004-05-21 0:20 ` Philip Craig
2004-05-21 2:12 ` Patrick McHardy
2004-05-22 12:38 ` Jozsef Kadlecsik
2004-05-22 14:57 ` Patrick McHardy [this message]
2004-05-23 8:55 ` Martin Josefsson
2004-05-23 17:00 ` Patrick McHardy
2004-05-25 12:38 ` Pablo Neira
2004-05-25 17:45 ` Patrick McHardy
2004-05-27 10:33 ` Henrik Nordstrom
2004-05-28 11:41 ` Pablo Neira
2004-05-21 12:35 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40AF6A60.70406@trash.net \
--to=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=kadlec@netfilter.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=philipc@snapgear.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.