From: Daniel Borkmann <daniel@iogearbox.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: tgraf@suug.ch, challa@noironetworks.com, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next v5 2/2] netfilter: nf_conntrack: add efficient mark to zone mapping
Date: Wed, 19 Aug 2015 17:10:57 +0200 [thread overview]
Message-ID: <55D49C81.5080906@iogearbox.net> (raw)
In-Reply-To: <20150818230556.GB17497@salvia>
On 08/19/2015 01:05 AM, Pablo Neira Ayuso wrote:
...
> This change to nf_ct_zone_tmpl() is OK by now. I can see you're doing
> this because we cannot use the template object to perform tmpl->mark =
> skb->mark since the template is shared between all packets.
>
> However, this is showing the limitations that we have in iptables
> since we can't do mappings there, with nft we could do things in the
> near future that look like:
>
> meta mark { 0x123 : ct template zone 1, ... }
>
> I think this can be refined by having a scratchpad template object
> per-cpu that we can modify from the CT target. This will also resolve
> the existing limitations that we have: Only the first rule that uses
> the CT target to attach a template actually applies, follow up rules
> trying to attach a template are simply ignored.
>
> This per-cpu template object should have a zone and timeout extension
> area preallocated, so we skip that memory allocation overhead from the
> packet path. Another alternative can be to add a struct nf_conn_tmpl
> object whose layout until the status flag is the same, so we can place
> the configuration there without the need of the extension areas, a
> trick similar to what we have with reqsock and twsock objects.
>
> Would you have a look into this so we can get this in better shape and
> resolve the existing limitations by the next merge window? Thanks!
Yes, I'll look into this and will get back to you. Btw, the remaining
two user space patches (conntrack, libnetfilter_conntrack) I'll post
next week when I'm back from Plumbers.
Thanks Pablo!
Best,
Daniel
prev parent reply other threads:[~2015-08-19 15:11 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-14 14:03 [PATCH nf-next v5 0/2] Netfilter zone directions Daniel Borkmann
2015-08-14 14:03 ` [PATCH nf-next v5 1/2] netfilter: nf_conntrack: add direction support for zones Daniel Borkmann
2015-08-18 22:29 ` Pablo Neira Ayuso
2015-08-14 14:03 ` [PATCH nf-next v5 2/2] netfilter: nf_conntrack: add efficient mark to zone mapping Daniel Borkmann
2015-08-18 23:05 ` Pablo Neira Ayuso
2015-08-19 15:10 ` Daniel Borkmann [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55D49C81.5080906@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=challa@noironetworks.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=tgraf@suug.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.