From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next 3/9] netfilter: nft_ct: add zone id set support
Date: Wed, 8 Feb 2017 10:29:29 +0100 [thread overview]
Message-ID: <20170208092929.GC28205@salvia> (raw)
In-Reply-To: <20170203123556.17357-4-fw@strlen.de>
On Fri, Feb 03, 2017 at 01:35:50PM +0100, Florian Westphal wrote:
> zones allow tracking multiple connections sharing identical tuples,
> this is needed e.g. when tracking distinct vlans with overlapping ip
> addresses (conntrack is l2 agnostic).
>
> Thus the zone has to be set before the packet is picked up by the
> connection tracker. This is done by means of 'conntrack templates' which
> are conntrack structures used solely to pass this info from one netfilter
> hook to the next.
>
> The iptables CT target instantiates these connection tracking templates
> once per rule, i.e. the template is fixed/tied to particular zone, can
> be read-only and therefore be re-used by as many skbs simultaneously as
> needed.
>
> We can't follow this model because we want to take the zone id from
> an sreg at rule eval time so we could e.g. fill in the zone id from
> the packets vlan id or a e.g. nftables key : value maps.
>
> To avoid cost of per packet alloc/free of the template, use a percpu
> template 'scratch' object and use the refcount to detect the (unlikely)
> case where the template is still attached to another skb (i.e., previous
> skb was nfqueued ...).
Applied, thanks!
next prev parent reply other threads:[~2017-02-08 9:29 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-03 12:35 [PATCH -next 0/9] nftables: add zone support to ct statement Florian Westphal
2017-02-03 12:35 ` [PATCH nf-next 1/9] netfilter: nft_ct: add zone id get support Florian Westphal
2017-02-08 9:28 ` Pablo Neira Ayuso
2017-02-03 12:35 ` [PATCH nf-next 2/9] netfilter: nft_ct: prepare for key-dependent error unwind Florian Westphal
2017-02-08 9:29 ` Pablo Neira Ayuso
2017-02-03 12:35 ` [PATCH nf-next 3/9] netfilter: nft_ct: add zone id set support Florian Westphal
2017-02-08 9:29 ` Pablo Neira Ayuso [this message]
2017-02-03 12:35 ` [PATCH libnftnl 4/9] src: ct: add zone support Florian Westphal
2017-02-19 19:22 ` Pablo Neira Ayuso
2017-02-03 12:35 ` [PATCH nftables 5/9] src: add host byte order integer type Florian Westphal
2017-02-06 17:31 ` Pablo Neira Ayuso
2017-02-06 18:17 ` Pablo Neira Ayuso
2017-02-06 22:33 ` Florian Westphal
2017-02-07 11:58 ` Pablo Neira Ayuso
2017-02-07 12:29 ` Pablo Neira Ayuso
2017-02-03 12:35 ` [PATCH nftables 6/9] src: add conntrack zone support Florian Westphal
2017-02-03 12:35 ` [PATCH nftables 7/9] ct: refactor print function so it can be re-used for ct statement Florian Westphal
2017-02-03 12:35 ` [PATCH nftables 8/9] src: support zone set statement with optional direction Florian Westphal
2017-02-03 12:35 ` [PATCH nftables 9/9] tests: add test entries for conntrack zones Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170208092929.GC28205@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).