[Devel] [PATCH rh7 v2 0/3] Create conntrack structures only if they are really needed
Kirill Tkhai
ktkhai at virtuozzo.com
Mon Sep 12 04:37:38 PDT 2016
Allocate conntracks only after there was a rule, which uses them.
v2: Allow after there is a rule and never prohibit.
---
Kirill Tkhai (3):
net: Primitives to allow conntrack allocation
net: Mark conntrack users in xtables
net: Mark conntrack users in nftables
include/net/net_namespace.h | 10 ++++++++++
include/net/netns/conntrack.h | 1 +
net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 ++
net/ipv4/netfilter/ipt_MASQUERADE.c | 1 +
net/ipv4/netfilter/ipt_SYNPROXY.c | 6 +++++-
net/ipv6/netfilter/ip6t_MASQUERADE.c | 1 +
net/ipv6/netfilter/ip6t_SYNPROXY.c | 6 +++++-
net/netfilter/nf_conntrack_core.c | 9 ++++++++-
net/netfilter/nf_conntrack_netlink.c | 1 +
net/netfilter/nf_synproxy_core.c | 1 +
net/netfilter/nft_ct.c | 2 ++
net/netfilter/nft_nat.c | 2 ++
net/netfilter/xt_CONNSECMARK.c | 2 ++
net/netfilter/xt_HMARK.c | 1 +
net/netfilter/xt_NETMAP.c | 2 ++
net/netfilter/xt_REDIRECT.c | 2 ++
net/netfilter/xt_cluster.c | 1 +
net/netfilter/xt_connbytes.c | 2 ++
net/netfilter/xt_connlabel.c | 3 ++-
net/netfilter/xt_connlimit.c | 2 ++
net/netfilter/xt_connmark.c | 3 +++
net/netfilter/xt_conntrack.c | 2 ++
net/netfilter/xt_helper.c | 1 +
net/netfilter/xt_ipvs.c | 1 +
net/netfilter/xt_nat.c | 9 +++++++++
net/netfilter/xt_socket.c | 9 +++++++++
net/netfilter/xt_state.c | 2 ++
27 files changed, 80 insertions(+), 4 deletions(-)
--
Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
More information about the Devel
mailing list