[RFC][PATCH] ctnetlink port to nf_conntrack take #3
Yasuyuki KOZAKAI
yasuyuki.kozakai at toshiba.co.jp
Sun Dec 18 12:33:33 CET 2005
From: Pablo Neira Ayuso <pablo at eurodev.net>
Date: Thu, 15 Dec 2005 20:16:55 +0100
> Patrick McHardy wrote:
> > Yasuyuki KOZAKAI wrote:
> >
> >> Well, I've found a issue. Current dumping code returns the
> >> informations about
> >> IPv6 connections regardless of the address family in nfctnetlink header
> >> (nfgenmsg). As a result, conntrack program prints "0.0.0.0 ....."
> >>
> >> A something like filtering with address family might be necessary while
> >> dumping. Yes, that would be inefficient. One long term solution would be
> >> conntrack hash per layer 3 protocol.
> >
> >
> > The filtering sounds fine for now. Dumping already has a large overhead
> > because the repeated iterations over the entire hash to find out where
> > to continue after an skb was full, this is not going to make it much
> > worse. I'm going to fix it up when adding the patch.
>
> What about the patch attached? It applies on top of my previous global
> ctnetlink port to nf_conntrack take#4 patch.
looks fine to me. And that's good idea to dump informations of all connections
if AF_UNSPEC is set in nfgenmsg. But I don't know that such way to handle
AF_UNSPEC can be generic policy of nfnetlink.
-- Yasuyuki Kozakai
More information about the netfilter-devel
mailing list