Alexey Dobriyan wrote:
quoted text
> On Thu, Sep 04, 2008 at 06:54:16PM +0200, Patrick McHardy wrote:
>> adobriyan@gmail.com wrote:
>>> Make untracked conntrack per-netns. Compare conntracks with relevant
>>> untracked one.
>>>
>>> The following code you'll start laughing at this code:
>>>
>>> 	if (ct == ct->ct_net->ct.untracked)
>>> 		...
>>>
>>> let me remind you that ->ct_net is set in only one place, and never
>>> overwritten later.
>>>
>>> All of this requires some surgery with headers, otherwise horrible circular
>>> dependencies. And we lost nf_ct_is_untracked() as function, it became macro.
>> I think you could avoid this mess by using a struct nf_conntrack
>> for the untracked conntrack instead of struct nf_conn. It shouldn't
>> make any difference since its ignored anyways.
> 
> Ewww, can I?

I hope so :) A different possiblity suggest by Pablo some time ago
would be to mark untracked packets in skb->nfctinfo and not
attach a conntrack at all.

quoted text
> Regardless of netns, switching to
> 
> 	struct nf_conntrack nf_conntrack_untracked;
> 
> means we must be absolutely sure that every place which uses, say,
> ct->status won't get untracked conntrack.
> 
> For example, does setting IPS_NAT_DONE_MASK and IPS_CONFIRMED_BIT on
> untracked conntracked really necessary?

I don't think so, untracked conntracks are skipped early in the NAT
table.

quoted text
> In conntrack_mt_v0() "ct->status" can be used even for untracked connection,
> is this right?

It looks that way, but its not right. I think it should return false
for every match except on (untracked) state.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html