From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: Re: xt_connlimit kernel 20070620 Date: Thu, 21 Jun 2007 17:39:19 +0200 Message-ID: <467A9BA7.1090707@netfilter.org> References: <4678F7A2.6090203@netfilter.org> <46790A58.9050106@netfilter.org> <46791704.4090609@netfilter.org> <467921FD.8000909@trash.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: Jan Engelhardt , Netfilter Developer Mailing List To: Patrick McHardy Return-path: In-Reply-To: <467921FD.8000909@trash.net> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Patrick McHardy wrote: > Pablo Neira Ayuso wrote: >> But the event API has the DESTROY transition. There are three kind of >> events: NEW, UPDATE and DESTROY. Just wait for DESTROY events to release >> the entry from the hashtable. > > Thats not a bad idea, but I always considered the notifier chains > overkill just for ctnetlink and thought about replacing them by > simple hooks. Adding another user for them would need some good > justification, also since it quite heavily adds to the overhead > for packet processing. The call_chain would be called only to catch DESTROY events (at timer expiration). No need to register notifications for the the event NEW since it can be get from the packet itself from ctinfo. -- The dawn of the fourth age of Linux firewalling is coming; a time of great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris