From: Patrick McHardy <kaber@trash.net>
To: Changli Gao <xiaosuo@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <eric.dumazet@gmail.com>,
Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>,
akpm@linux-foundation.org, netfilter-devel@vger.kernel.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v5 2/2] netfilter: save the hash of the tuple in the original direction for latter use
Date: Tue, 21 Sep 2010 17:32:18 +0200 [thread overview]
Message-ID: <4C98D002.3000309@trash.net> (raw)
In-Reply-To: <AANLkTi=NXj9PjYA06+UFYms8q5K3Z4DsPMcpVHpj7Gmq@mail.gmail.com>
Am 21.09.2010 02:02, schrieb Changli Gao:
> On Tue, Sep 21, 2010 at 1:08 AM, Patrick McHardy <kaber@trash.net> wrote:
>>
>> Sure we can, dropping unconfirmed conntracks is a rare exception,
>> not a common case. Even under DoS we usually drop *unassured*
>> conntracks, which have already enterered the hash. If we're unable
>> to do that, we won't even allocate a new conntrack.
>>
>
> Even so, saving the hash of the reply tuple isn't a good idea.
>
> If NAT is turned on, the current code is:
>
> mangle the reply tuple -> compute the hash of the reply tuple ->
> insert into the conntrack hash table.
>
> the new code is
>
> compute the hash of the reply tuple -> mangle the reply tuple ->
> recompute the hash of the reply tuple -> insert into the conntrack
> hash table.
>
> As you see, the hash computing is done twice, and we use more CPU
> cycles than before.
You're right of course, we actually don't compute the reply hash
before inserting the conntrack into the hash table (except in a
few NAT cases, but we can look at those later).
prev parent reply other threads:[~2010-09-21 15:32 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-20 22:49 [PATCH v5 2/2] netfilter: save the hash of the tuple in the original direction for latter use Changli Gao
2010-09-16 6:18 ` Patrick McHardy
2010-09-20 15:04 ` Changli Gao
2010-09-20 17:08 ` Patrick McHardy
2010-09-21 0:02 ` Changli Gao
2010-09-21 15:32 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C98D002.3000309@trash.net \
--to=kaber@trash.net \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mathieu.desnoyers@polymtl.ca \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=xiaosuo@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.