All of lore.kernel.org
 help / color / mirror / Atom feed
From: Vlad Buslov <vladbu@nvidia.com>
To: Florian Westphal <fw@strlen.de>
Cc: <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH nf-next] netfilter: conntrack: remove flowtable early-drop test
Date: Tue, 23 Apr 2024 17:40:47 +0300	[thread overview]
Message-ID: <87o7a02l61.fsf@nvidia.com> (raw)
In-Reply-To: <20240423130553.GB18954@breakpoint.cc>


On Tue 23 Apr 2024 at 15:05, Florian Westphal <fw@strlen.de> wrote:
> Vlad Buslov <vladbu@nvidia.com> wrote:
>> > ---
>> >  Vlad, do you remember why you added this test?
>> 
>> I added it when I introduced UDP NEW connection offload. As far as I
>> remember the concern was that since at the time early drop algorithm
>> completely ignored all offloaded connections malicious user could fill
>> the whole table by just sending a single packet per range of distinct 5
>> tuples and none of the resulting connections would be early dropped
>> until they expire.
>
> Ok, so it was indeed this:
>
>> >  and maybe was just a 'move-it-around' from the check in
>> >  early_drop_list, which would mean this was there from the
>> >  beginning.  Doesn't change "i don't understand why this test
>> >  exists" though :-)
>
> In this case I think this change is fine, ie. remove offload
> special treatment, its not needed.

The change will also enable early dropping offloaded non-ASSURED
connections for all other protocols though.

>
> Thanks for checking!


  reply	other threads:[~2024-04-23 14:45 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-23 13:44 [PATCH nf-next] netfilter: conntrack: remove flowtable early-drop test Florian Westphal
2024-04-23 12:16 ` Vlad Buslov
2024-04-23 13:05   ` Florian Westphal
2024-04-23 14:40     ` Vlad Buslov [this message]
2024-04-24 10:48       ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87o7a02l61.fsf@nvidia.com \
    --to=vladbu@nvidia.com \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.