[PATCH 1/*] nfnetlink updates
Amin Azez
azez at ufomechanic.net
Wed Jul 13 10:04:14 CEST 2005
Pablo Neira wrote:
> Hi,
>
> This patch introduces the following changes to nfnetlink:
>
> a) nfnetlink groups: Up to 32 maximum.
>
> +#define NF_NETLINK_CONNTRACK_NEW 0x1
> +#define NF_NETLINK_CONNTRACK_UPDATE 0x2
> +#define NF_NETLINK_CONNTRACK_DESTROY 0x4
> +#define NF_NETLINK_CONNTRACK_EXPECT 0x8
>
> I think that those four groups are enough to group events.
Currently there are about 3 netlink packets sent when a connection comes
up and three when it goes down.
I wonder if it is worth being able to filter on the ctstate as well,
under heavy load it is quite a benefit to reduce the netlink throughput
by 3 times. An application might be interested in ESTABLISHED and CLOSE
or TIMEOUT states.
These are subsets of CONNTRACK_UPDATE
I don't feel _very_ strongly about this, but I do think it is worth
mentioning.
Amin
More information about the netfilter-devel
mailing list