leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4d3a57f23d
linux/include/net/netfilter
History
Florian Westphal 4d3a57f23d netfilter: conntrack: do not enable connection tracking unless needed 
Discussion during NFWS 2017 in Faro has shown that the current
conntrack behaviour is unreasonable.

Even if conntrack module is loaded on behalf of a single net namespace,
its turned on for all namespaces, which is expensive.  Commit
481fa37347 ("netfilter: conntrack: add nf_conntrack_default_on sysctl")
attempted to provide an alternative to the 'default on' behaviour by
adding a sysctl to change it.

However, as Eric points out, the sysctl only becomes available
once the module is loaded, and then its too late.

So we either have to move the sysctl to the core, or, alternatively,
change conntrack to become active only once the rule set requires this.

This does the latter, conntrack is only enabled when a rule needs it.

Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-07-31 20:42:00 +02:00
..
ipv4 netfilter: udplite: Remove duplicated udplite4/6 declaration 2017-04-09 00:08:22 +02:00
ipv6 netfilter: udplite: Remove duplicated udplite4/6 declaration 2017-04-09 00:08:22 +02:00
br_netfilter.h net: convert nf_bridge_info.use from atomic_t to refcount_t 2017-07-01 07:39:07 -07:00
nf_conntrack_acct.h netfilter: introduce nf_conn_acct structure 2013-11-03 21:48:49 +01:00
nf_conntrack_core.h netfilter: remove nf_ct_is_untracked 2017-04-15 11:51:33 +02:00
nf_conntrack_ecache.h nefilter: eache: reduce struct size from 32 to 24 byte 2017-04-19 17:55:17 +02:00
nf_conntrack_expect.h netfilter: expect: add and use nf_ct_expect_iterate helpers 2017-07-31 19:09:38 +02:00
nf_conntrack_extend.h netfilter: nf_ct_ext: invoke destroy even when ext is not attached 2017-05-01 11:48:49 +02:00
nf_conntrack_helper.h netfilter: nfnl_cthelper: reject del request if helper obj is in use 2017-05-15 12:42:29 +02:00
nf_conntrack_l3proto.h netfilter: conntrack: do not enable connection tracking unless needed 2017-07-31 20:42:00 +02:00
nf_conntrack_l4proto.h netfilter: allow early drop of assured conntracks 2017-04-19 17:55:17 +02:00
nf_conntrack_labels.h netfilter: conntrack: avoid excess memory allocation 2016-10-27 18:29:02 +02:00
nf_conntrack_seqadj.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_conntrack_synproxy.h netfilter: synproxy: only register hooks when needed 2017-04-26 09:30:21 +02:00
nf_conntrack_timeout.h netfilter: refcounter conversions 2017-03-17 12:49:43 +01:00
nf_conntrack_timestamp.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_conntrack_tuple.h
nf_conntrack_zones.h netfilter: move zone info into struct nf_conn 2016-06-23 13:33:12 +02:00
nf_conntrack.h netfilter: add and use nf_ct_unconfirmed_destroy 2017-07-31 19:09:39 +02:00
nf_dup_netdev.h netfilter: add and use nf_fwd_netdev_egress 2016-12-06 21:48:22 +01:00
nf_log.h netfilter: allow logging from non-init namespaces 2017-02-02 14:31:58 +01:00
nf_nat_core.h netfilter: Pass net into nf_xfrm_me_harder 2015-09-18 22:00:22 +02:00
nf_nat_helper.h netfilter: nat: nf_nat_mangle_{udp,tcp}_packet returns boolean 2017-04-06 22:01:38 +02:00
nf_nat_l3proto.h netfilter: Pass priv instead of nf_hook_ops to netfilter hooks 2015-09-18 22:00:16 +02:00
nf_nat_l4proto.h netfilter: built-in NAT support for UDPlite 2016-12-04 20:45:32 +01:00
nf_nat_redirect.h netfilter: combine IPv4 and IPv6 nf_nat_redirect code in one module 2014-11-27 13:08:42 +01:00
nf_nat.h netfilter: don't attach a nat extension by default 2017-04-26 09:30:22 +02:00
nf_queue.h netfilter: nf_queue: only call synchronize_net twice if nf_queue is active 2017-05-01 11:19:12 +02:00
nf_socket.h netfilter: move socket lookup infrastructure to nf_socket_ipv{4,6}.c 2016-11-01 20:50:31 +01:00
nf_tables_core.h netfilter: nf_tables: keep chain counters away from hot path 2017-07-24 12:23:16 +02:00
nf_tables_ipv4.h netfilter: merge fixup for "nf_tables_netdev: remove redundant ip_hdr assignment" 2016-10-05 20:25:48 -04:00
nf_tables_ipv6.h netfilter: nf_tables: set pktinfo->thoff at AH header if found 2017-03-08 18:35:27 +01:00
nf_tables.h netfilter: nf_tables: Allow object names of up to 255 chars 2017-07-31 20:41:59 +02:00
nfnetlink_log.h
nft_dup.h netfilter: nf_tables: add nft_dup expression 2015-08-07 11:49:49 +02:00
nft_fib.h netfilter: nft_fib: Support existence check 2017-03-13 13:45:36 +01:00
nft_masq.h netfilter: nft_masq: support port range 2016-03-02 20:05:27 +01:00
nft_meta.h netfilter: nft_meta: improve the validity check of pkttype set expr 2016-08-25 13:12:03 +02:00
nft_redir.h netfilter: nf_tables: add new expression nft_redir 2014-10-27 22:49:39 +01:00
nft_reject.h netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT 2016-08-25 12:55:34 +02:00
xt_rateest.h net_sched: gen_estimator: complete rewrite of rate estimators 2016-12-05 15:21:59 -05:00