From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Jan Engelhardt <jengelh@medozas.de>,
Netfilter Development Mailinglist
<netfilter-devel@vger.kernel.org>,
netdev <netdev@vger.kernel.org>,
Patrick McHardy <kaber@trash.net>
Subject: Re: [PATCH v4] netfilter: ipt_CLUSTERIP: remove "no conntrack!"
Date: Thu, 13 Jan 2011 17:30:49 +0100 [thread overview]
Message-ID: <4D2F28B9.50407@netfilter.org> (raw)
In-Reply-To: <1294929579.3570.163.camel@edumazet-laptop>
On 13/01/11 15:39, Eric Dumazet wrote:
> Le jeudi 13 janvier 2011 à 15:02 +0100, Jan Engelhardt a écrit :
>> On Thursday 2011-01-13 14:38, Eric Dumazet wrote:
>>
>>> Le jeudi 13 janvier 2011 à 12:54 +0100, Pablo Neira Ayuso a écrit :
>>>
>>>> But printing this does not provide any useful information. The first
>>>> packet that does not belong to the cluster node that has received the
>>>> packet, or the first invalid packet, will trigger this.
>>>>
>>>> Moreover, this confuses users since they can do nothing if they receive
>>>> this message.
>>>>
>>>> Moreover, this target should be supersedes by the cluster match, which
>>>> has been there for quite some time (it's also more flexible).
>>>
>>> Now you mentioned it, cluster match is not as flexible right now,
>>> its hashing is on source_ip only.
>>
>> I think in that case, xt_cluster should be improved rather
>> than an old module.
>
> Amen
>
> We should not improve IPv4 support then, I see.
>
> My customers use this old module, and upgrading to xt_cluster is not an
> option.
>
> Should we discuss this forever or fix it ?
hey hey, I'm fine with fixing things. Patch v4 is OK.
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
> In the end, people are forced to add useless iptables rule to DROP
> INVALID packets before entering ipt_CLUSTERIP, after googling or
> eventually asking to experts.
>
> Last time this was discussed, this went nowhere :
>
> http://www.spinics.net/lists/netfilter/msg48676.html
>
> Come on guys, we can do it, dont be afraid.
>
> A non rate limited printk() in kernel is forbidden, especially in
> network stack.
>
> Then, cluster match can be improved, I am sure you already have a patch
> for it.
what scenario could benefit from the destination-based hashing?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2011-01-13 16:30 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-12 21:17 netfilter tree for 2.6.38 is open Pablo Neira Ayuso
2011-01-13 11:13 ` [PATCH] netfilter: ipt_CLUSTERIP: dont flood with "no conntrack!" Eric Dumazet
2011-01-13 11:23 ` Pablo Neira Ayuso
2011-01-13 11:28 ` Patrick McHardy
2011-01-13 11:29 ` Pablo Neira Ayuso
2011-01-13 11:36 ` Eric Dumazet
2011-01-13 11:32 ` Eric Dumazet
2011-01-13 11:54 ` Pablo Neira Ayuso
2011-01-13 13:38 ` [PATCH v4] netfilter: ipt_CLUSTERIP: remove " Eric Dumazet
2011-01-13 14:02 ` Jan Engelhardt
2011-01-13 14:39 ` Eric Dumazet
2011-01-13 16:30 ` Pablo Neira Ayuso [this message]
2011-01-13 16:35 ` Pablo Neira Ayuso
2011-01-13 16:48 ` Eric Dumazet
2011-01-18 15:28 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D2F28B9.50407@netfilter.org \
--to=pablo@netfilter.org \
--cc=eric.dumazet@gmail.com \
--cc=jengelh@medozas.de \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.