From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: Re: xt_connlimit kernel 20070620 Date: Thu, 21 Jun 2007 17:50:18 +0200 Message-ID: <467A9E3A.3060905@netfilter.org> References: <4678F7A2.6090203@netfilter.org> <46790A58.9050106@netfilter.org> <46791704.4090609@netfilter.org> <467921FD.8000909@trash.net> <467A9BA7.1090707@netfilter.org> <467A9CC9.3020605@trash.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: Jan Engelhardt , Netfilter Developer Mailing List To: Patrick McHardy Return-path: In-Reply-To: <467A9CC9.3020605@trash.net> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Patrick McHardy wrote: > Pablo Neira Ayuso wrote: >> Patrick McHardy wrote: >> >>> Pablo Neira Ayuso wrote: >>> >>>> But the event API has the DESTROY transition. There are three kind of >>>> events: NEW, UPDATE and DESTROY. Just wait for DESTROY events to release >>>> the entry from the hashtable. >>> Thats not a bad idea, but I always considered the notifier chains >>> overkill just for ctnetlink and thought about replacing them by >>> simple hooks. Adding another user for them would need some good >>> justification, also since it quite heavily adds to the overhead >>> for packet processing. >> >> The call_chain would be called only to catch DESTROY events (at timer >> expiration). No need to register notifications for the the event NEW >> since it can be get from the packet itself from ctinfo. > > We only have a single notifier chain. Worth to split them into three chains? -- The dawn of the fourth age of Linux firewalling is coming; a time of great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris