From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH RFC v2] netfilter: add connlabel conntrack extension
Date: Thu, 15 Nov 2012 14:09:27 +0100 [thread overview]
Message-ID: <20121115130927.GB4929@1984> (raw)
In-Reply-To: <20121115125002.GI20678@breakpoint.cc>
On Thu, Nov 15, 2012 at 01:50:02PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Mon, Nov 12, 2012 at 01:47:05PM +0100, Florian Westphal wrote:
> > > Alternative would be to keep track of highest bit requested in a "-m connlabel"
> > > rule to figure out the needed size.
> > >
> > > In any case, it would require adding "u16 len" to the extension area; else
> > > we can't figure out how many bytes are valid, i.e.:
> > >
> > > struct nf_conn_labels {
> > > + u16 size; /* length of label storage */
> > > + unsigned long bits[]; /* variable-sized label storage */
> > > +};
> > >
> > > it would increase minimum length needed but it would avoid
> > > the rcu dances done by the current scheme.
> > >
> > > It this is ok for you I'll make this change to see how many LOC are
> > > saved by this.
> >
> > If we simplify the current connlabel code it would be great. And so
> > far, the only way I can think to obtain that is to explictly specify
> > via the CT target the length of the label.
>
> I've turned it into a var-length extension, so all the rcu dances
> and runtime reallocs are gone.
>
> I'll be sending the first non-rfc version of the patchset soon.
>
> Minor drawback: I had to reduce it to 128 labels max, else the
> extension offset array (u8 offset[]) will overflow if too many
> extensions are enabled.
Good point. That reminds me that we should add some bugtrap to
net/netfilter/nf_conntrack_extend.c to check for such possible
overflows.
> At the moment the 128 labels max constraint is no problem at all,
> and we can increase it later if we reduce total possible extension
> size (or use u16 for length/offset tracking).
Sure.
next prev parent reply other threads:[~2012-11-15 13:09 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-02 12:43 [PATCH RFC v2] netfilter: add connlabel conntrack extension Florian Westphal
2012-11-07 20:04 ` Florian Westphal
2012-11-12 6:44 ` Pablo Neira Ayuso
2012-11-12 12:30 ` Florian Westphal
2012-11-12 16:24 ` Pablo Neira Ayuso
2012-11-12 16:32 ` Florian Westphal
2012-11-12 19:02 ` Pablo Neira Ayuso
2012-11-12 6:50 ` Pablo Neira Ayuso
2012-11-12 12:47 ` Florian Westphal
2012-11-15 12:13 ` Pablo Neira Ayuso
2012-11-15 12:50 ` Florian Westphal
2012-11-15 13:09 ` Pablo Neira Ayuso [this message]
2012-11-15 12:52 ` Stephen Clark
2012-11-15 13:06 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121115130927.GB4929@1984 \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.