From: Patrick McHardy <kaber@trash.net>
To: Harald Welte <laforge@netfilter.org>
Cc: Rusty Russell <rusty@rustcorp.com.au>,
Netfilter Development Mailinglist
<netfilter-devel@lists.netfilter.org>,
Pablo Neira <pablo@eurodev.net>,
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Subject: Re: nf_conntrack [was Re: [PATCH 1/4] RFC: fast string matching infrastrure for netfilter]
Date: Fri, 14 Jan 2005 19:00:53 +0100 [thread overview]
Message-ID: <41E808D5.7070707@trash.net> (raw)
In-Reply-To: <20050114083154.GG9070@sunbeam.de.gnumonks.org>
Harald Welte wrote:
>Nobody should ever load iptable_nat if it isn't actually used. That's
>what module autoloading is about. If a distribution does this, it is
>straight forward broken.
>
I was talking about autoloading or loading by other means. If the NAT
module is _present_ but not loaded, the get_features stuff needs to
assume it could be loaded any time and thus reserve memory in the
conntrack tuple. Or reallocate on module load.
>
>Also, I haven't seen this in practise so far, so it's not a valid
>optimization target from my point of view.
>
>
>>Sure, but helpers are slow anyway. The additional allocation is a one-time
>>effort, the two disjunct pieces of memory shouldn't hurt too much since
>>nf_conntrack is very large and covers multiple cache-lines already. Rusty
>>mentioned he got struct ip_conntrack down to ~150b, this makes it possible
>>to have a lot more active connections without exceeding the cache.
>>
>
>Ok, agreed for the helper case. But my argument for NAT still holds, at
>least as far as I see. Also, stuff like the accounting counters are a
>similar case.
>
>So maybe in the end we need 'features' for those, and ct_extend for
>helper related data?
>
I think helper data should go in ct_extend anyway. But since get_features
needs to allocate the memory for ip_nat_info anyways, I think we should go
with Rusty's propsal of two hardcoded slabcaches (IPv4/IPv6).
>>One more thing I was thinking about. If we put ip_conntrack in maintenance
>>mode and probably deprecate it at some time, I see little reason to remove
>>ipchains compat just now. Why not just let it fade out together with
>>ip_conntrack once nf_conntrack is in ? I haven't checked if it was because
>>of incompatibilities or required changes with Rusty's latest work, if so
>>that would be a good reason.
>>
>
>I don't have a particular favour for or against any of the proposed
>solutions.
>
Well, it's gone now anyway, lets just leave it this way :)
Regards
Patrick
next prev parent reply other threads:[~2005-01-14 18:00 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-09 22:23 [PATCH 1/4] RFC: fast string matching infrastrure for netfilter Pablo Neira
2005-01-09 23:10 ` Patrick McHardy
2005-01-09 23:19 ` Pablo Neira
2005-01-10 19:54 ` nf_conntrack [was Re: [PATCH 1/4] RFC: fast string matching infrastrure for netfilter] Jozsef Kadlecsik
2005-01-10 20:31 ` Patrick McHardy
2005-01-10 21:28 ` Harald Welte
2005-01-14 2:45 ` Patrick McHardy
2005-01-14 4:31 ` nf_conntrack Yasuyuki KOZAKAI
2005-01-14 7:01 ` nf_conntrack [was Re: [PATCH 1/4] RFC: fast string matching infrastrure for netfilter] Rusty Russell
2005-01-14 8:20 ` Patrick Schaaf
2005-01-15 18:18 ` KOVACS Krisztian
2005-01-16 16:09 ` Jozsef Kadlecsik
2005-01-14 8:37 ` Harald Welte
2005-01-14 10:22 ` Rusty Russell
2005-01-14 18:02 ` Patrick McHardy
2005-01-14 17:52 ` Patrick McHardy
2005-01-14 8:31 ` Harald Welte
2005-01-14 18:00 ` Patrick McHardy [this message]
2005-01-14 3:16 ` Patrick McHardy
2005-01-10 21:20 ` Harald Welte
2005-01-10 8:49 ` [PATCH 1/4] RFC: fast string matching infrastrure for netfilter Sven Schuster
2005-01-10 23:18 ` Pablo Neira
2005-01-10 10:06 ` Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41E808D5.7070707@trash.net \
--to=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=laforge@netfilter.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=pablo@eurodev.net \
--cc=rusty@rustcorp.com.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.