From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: [RFC nf-next 0/4] netfilter: conntrack: allow insertion of clashing entries
Date: Thu, 16 Jan 2020 12:37:53 +0100 [thread overview]
Message-ID: <20200116113753.GR795@breakpoint.cc> (raw)
In-Reply-To: <20200116111915.d7ddcc2lavocvzrq@salvia>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Tue, Jan 14, 2020 at 12:53:09AM +0100, Florian Westphal wrote:
> > Florian Westphal <fw@strlen.de> wrote:
> > > This entire series isn't nice but so far I did not find a better
> > > solution.
> >
> > I did consider getting rid of the unconfirmed list, but this is also
> > problematic.
>
> Another proposal:
>
> I think the percpu unconfirmed list should become a hashtable.
>
> From resolve_normal_ct(), if __nf_conntrack_find_get() returns NULL,
> this can fall back to make a rcu lookless lookup on the unconfirmed
> hashtable.
Unconfirmed entries can't be processed in parallel.
I.e., we can detect the race (there is an unconfirmed entry in the
unconfirmed table matching original tuple), but we can't do anything about
it until that result has been confirmed.
We could allow processing unconfirmed entries in parallel but it will
require taking ct->lock in all places that add/change extensions.
And we would need to do so unconditionally.
At this point I'm considering to send patches to iptables and kernel
that document that -m statistics can't be used for udp NAT and
another patch to add a l4 hash mode to -m cluster, I don't like this
series either and all alternatives are even worse.
prev parent reply other threads:[~2020-01-16 11:37 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-08 13:44 [RFC nf-next 0/4] netfilter: conntrack: allow insertion of clashing entries Florian Westphal
2020-01-08 13:44 ` [RFC nf-next 1/4] netfilter: conntrack: remove two args from resolve_clash Florian Westphal
2020-01-08 13:44 ` [RFC nf-next 2/4] netfilter: conntrack: place confirm-bit setting in a helper Florian Westphal
2020-01-08 13:44 ` [RFC nf-next 3/4] netfilter: conntrack: split resolve_clash function Florian Westphal
2020-01-08 13:45 ` [RFC nf-next 4/4] netfilter: conntrack: allow insertion of duplicate/clashing entries Florian Westphal
2020-01-13 14:04 ` [RFC nf-next 0/4] netfilter: conntrack: allow insertion of clashing entries Florian Westphal
2020-01-13 23:53 ` Florian Westphal
2020-01-14 21:14 ` Kadlecsik József
2020-01-14 22:21 ` Florian Westphal
2020-01-15 7:58 ` Kadlecsik József
2020-01-16 11:19 ` Pablo Neira Ayuso
2020-01-16 11:37 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200116113753.GR795@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).