[PATCH] Unconditionaly push mark to conntrack structure
Patrick McHardy
kaber at trash.net
Thu Jun 8 09:25:22 CEST 2006
Pablo Neira Ayuso wrote:
> Patrick McHardy wrote:
>
>> Pablo Neira Ayuso wrote:
>>
>>> To be frank, I can't see how the timer can be useful from userspace. I
>>> think that we should remove it.
>>
>>
>>
>> Don't you need it for synchronization? One example where it could be
>> useful is to implement different timeout strategies (for example
>> something like pf's adaptive timeouts) in userspace.
>
>
> But these adaptive timeouts could be implemented in kernelspace.
Thats not a good argument .. by that logic we wouldn't need ctnetlink
at all :)
> Unfortunately, ctnetlink is not doing any sequence tracking of the
> events at the moment :( and we have to. Here my old PIII 866MHz with a
> 100Mbits network card starts dropping events when it reaches ~300
> simultaneos short TCP connections (2 seconds) with netperf. I'm going to
> cook a patch for this.
That seems to be pretty poor performance - by sequence tracking you
mean TCP state updates? Is that poor performance with or without
them?
More information about the netfilter-devel
mailing list