[PATCH] aggressive early_drop and reserved conntrack entries

Henrik Nordstrom hno at marasystems.com
Sun Dec 12 12:40:17 CET 2004

On Sat, 11 Dec 2004, Jozsef Kadlecsik wrote:

> It's already a little bit messy. I strongly believe, we must revise
> reference counting in order to make locking more straightforward (and to
> be able to introduce say per bucket locking at all). The
> conntrack_arefcount patch tries to step ahead in that direction.

The patch adds yet another entity needing locking: The list of unassured 
connections. This list requires two write updates per new connection 
(append, delete).

With it being a linked list fine grained locking becomes a bit hard, and 
to have FIFO semantics there is not many other choices. But fortunately 
the operations needing this list locked is very short in time so it should 
be fine with a global lock on the unassured list, in addition to the 
(finegrained) conntrack locking, provided the unassured lock is aquired 
last (atomic list insert, delete operations).

Note: RCU does not help us here.


More information about the netfilter-devel mailing list