leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4d3a57f23d
linux/net/ipv4
History
Florian Westphal 4d3a57f23d netfilter: conntrack: do not enable connection tracking unless needed 
Discussion during NFWS 2017 in Faro has shown that the current
conntrack behaviour is unreasonable.

Even if conntrack module is loaded on behalf of a single net namespace,
its turned on for all namespaces, which is expensive.  Commit
481fa37347 ("netfilter: conntrack: add nf_conntrack_default_on sysctl")
attempted to provide an alternative to the 'default on' behaviour by
adding a sysctl to change it.

However, as Eric points out, the sysctl only becomes available
once the module is loaded, and then its too late.

So we either have to move the sysctl to the core, or, alternatively,
change conntrack to become active only once the rule set requires this.

This does the latter, conntrack is only enabled when a rule needs it.

Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-07-31 20:42:00 +02:00
..
netfilter netfilter: conntrack: do not enable connection tracking unless needed 2017-07-31 20:42:00 +02:00
af_inet.c net: Remove all references to SKB_GSO_UDP. 2017-07-17 09:52:58 -07:00
ah4.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2017-06-23 14:17:31 -04:00
arp.c networking: make skb_put & friends return void pointers 2017-06-16 11:48:39 -04:00
cipso_ipv4.c net, ipv4: convert cipso_v4_doi.refcount from atomic_t to refcount_t 2017-07-04 01:29:04 -07:00
datagram.c
devinet.c net: convert in_device.refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
esp4_offload.c esp4/6: Fix GSO path for non-GSO SW-crypto packets 2017-04-19 07:48:57 +02:00
esp4.c net: convert sock.sk_wmem_alloc from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
fib_frontend.c ipv4: initialize fib_trie prior to register_netdev_notifier call. 2017-07-20 15:24:45 -07:00
fib_lookup.h net: add extack arg to lwtunnel build state 2017-05-30 11:55:32 -04:00
fib_notifier.c ipv4: fib: Remove redundant argument 2017-03-10 09:45:09 -08:00
fib_rules.c ipv4: fib_rules: Dump FIB rules when registering FIB notifier 2017-03-16 10:18:34 -07:00
fib_semantics.c net, ipv4: convert fib_info.fib_clntref from atomic_t to refcount_t 2017-07-04 01:29:04 -07:00
fib_trie.c net, ipv4: convert fib_info.fib_clntref from atomic_t to refcount_t 2017-07-04 01:29:04 -07:00
fou.c fou: make local function static 2017-05-21 13:42:36 -04:00
gre_demux.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-06-30 05:03:36 -04:00
gre_offload.c net: Remove all references to SKB_GSO_UDP. 2017-07-17 09:52:58 -07:00
icmp.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-06-15 11:59:32 -04:00
igmp.c net: convert ip_mc_list.refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
inet_connection_sock.c net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
inet_diag.c tcp: remove early retransmit 2017-01-13 22:37:16 -05:00
inet_fragment.c net: convert inet_frag_queue.refcnt from atomic_t to refcount_t 2017-07-01 07:39:09 -07:00
inet_hashtables.c net: make sk_ehashfn() static 2017-07-03 03:29:14 -07:00
inet_timewait_sock.c net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
inetpeer.c inetpeer: remove AVL implementation in favor of RB tree 2017-07-17 08:59:01 -07:00
ip_forward.c ipv4: allow local fragmentation in ip_finish_output_gso() 2016-11-03 16:10:26 -04:00
ip_fragment.c net: convert inet_frag_queue.refcnt from atomic_t to refcount_t 2017-07-01 07:39:09 -07:00
ip_gre.c net: add netlink_ext_ack argument to rtnl_link_ops.validate 2017-06-26 23:13:22 -04:00
ip_input.c net: Add sysctl to toggle early demux for tcp and udp 2017-03-24 13:17:07 -07:00
ip_options.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
ip_output.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-07-21 03:38:43 +01:00
ip_sockglue.c do_ip_setsockopt(): don't open-code memdup_user() 2017-06-30 02:04:09 -04:00
ip_tunnel_core.c net: store port/representator id in metadata_dst 2017-06-25 11:42:01 -04:00
ip_tunnel.c ip_tunnel: fix potential issue in ip_tunnel_rcv 2017-06-16 12:01:29 -04:00
ip_vti.c vti: revert flush x-netns xfrm cache when vti interface is removed 2017-07-18 11:13:41 -07:00
ipcomp.c
ipconfig.c networking: convert many more places to skb_put_zero() 2017-06-16 11:48:35 -04:00
ipip.c net: add netlink_ext_ack argument to rtnl_link_ops.validate 2017-06-26 23:13:22 -04:00
ipmr.c net: ipmr: ipmr_get_table() returns NULL 2017-07-12 08:18:46 -07:00
Kconfig Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2017-02-16 21:25:49 -05:00
Makefile tcp: ULP infrastructure 2017-06-15 12:12:40 -04:00
netfilter.c netfilter: use skb_to_full_sk in ip_route_me_harder 2017-02-28 12:49:36 +01:00
ping.c net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
proc.c tcp: add TCPMemoryPressuresChrono counter 2017-06-08 11:26:19 -04:00
protocol.c net: Add sysctl to toggle early demux for tcp and udp 2017-03-24 13:17:07 -07:00
raw_diag.c net: ip, raw_diag -- Use jump for exiting from nested loop 2016-11-03 15:25:26 -04:00
raw.c net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
route.c Add wait_for_random_bytes() and get_random_*_wait() functions so that 2017-07-15 12:44:02 -07:00
syncookies.c ipv4: ipv6: initialize treq->txhash in cookie_v[46]_check() 2017-07-18 11:22:51 -07:00
sysctl_net_ipv4.c tcp: ULP infrastructure 2017-06-15 12:12:40 -04:00
tcp_bbr.c tcp_bbr: init pacing rate on first RTT sample 2017-07-15 14:43:29 -07:00
tcp_bic.c tcp: bic, cubic: use tcp_jiffies32 instead of tcp_time_stamp 2017-05-17 16:06:01 -04:00
tcp_cdg.c sched/headers: Prepare for new header dependencies before moving code to <linux/sched/clock.h> 2017-03-02 08:42:27 +01:00
tcp_cong.c bpf: Add support for changing congestion control 2017-07-01 16:15:14 -07:00
tcp_cubic.c tcp: bic, cubic: use tcp_jiffies32 instead of tcp_time_stamp 2017-05-17 16:06:01 -04:00
tcp_dctcp.c Revert "dctcp: update cwnd on congestion event" 2016-12-06 11:34:24 -05:00
tcp_diag.c net: diag: Fix refcnt leak in error path destroying socket 2016-08-23 23:11:36 -07:00
tcp_fastopen.c bpf: Add TCP connection BPF callbacks 2017-07-01 16:15:14 -07:00
tcp_highspeed.c tcp: add cwnd_undo functions to various tcp cc algorithms 2016-11-21 13:20:17 -05:00
tcp_htcp.c tcp: replace misc tcp_time_stamp to tcp_jiffies32 2017-05-17 16:06:01 -04:00
tcp_hybla.c tcp: make undo_cwnd mandatory for congestion modules 2016-11-21 13:20:17 -05:00
tcp_illinois.c tcp: add cwnd_undo functions to various tcp cc algorithms 2016-11-21 13:20:17 -05:00
tcp_input.c bpf: Add support for changing congestion control 2017-07-01 16:15:14 -07:00
tcp_ipv4.c tcp: md5: tcp_md5_do_lookup_exact() can be static 2017-07-06 10:54:15 +01:00
tcp_lp.c tcp: switch TCP TS option (RFC 7323) to 1ms clock 2017-05-17 16:06:01 -04:00
tcp_metrics.c tcp: use tcp_jiffies32 to feed tp->snd_cwnd_stamp 2017-05-17 16:06:01 -04:00
tcp_minisocks.c bpf: Support for setting initial receive window 2017-07-01 16:15:13 -07:00
tcp_nv.c tcpnv: do not export local function 2017-05-21 13:42:36 -04:00
tcp_offload.c net: convert sock.sk_wmem_alloc from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
tcp_output.c tcp: adjust tail loss probe timeout 2017-07-19 16:14:10 -07:00
tcp_probe.c tcp: Revert "tcp: tcp_probe: use spin_lock_bh()" 2017-02-21 13:26:03 -05:00
tcp_rate.c tcp: export do_tcp_sendpages and tcp_rate_check_app_limited functions 2017-06-15 12:12:40 -04:00
tcp_recovery.c tcp: adjust tail loss probe timeout 2017-07-19 16:14:10 -07:00
tcp_scalable.c tcp: add cwnd_undo functions to various tcp cc algorithms 2016-11-21 13:20:17 -05:00
tcp_timer.c tcp: fix TCP_SYNCNT flakes 2017-05-24 16:29:57 -04:00
tcp_ulp.c tcp: fix out-of-bounds access in ULP sysctl 2017-06-23 14:10:05 -04:00
tcp_vegas.c tcp: make undo_cwnd mandatory for congestion modules 2016-11-21 13:20:17 -05:00
tcp_vegas.h
tcp_veno.c tcp: add cwnd_undo functions to various tcp cc algorithms 2016-11-21 13:20:17 -05:00
tcp_westwood.c tcp_westwood: use tcp_jiffies32 instead of tcp_time_stamp 2017-05-17 16:06:01 -04:00
tcp_yeah.c tcp: add cwnd_undo functions to various tcp cc algorithms 2016-11-21 13:20:17 -05:00
tcp.c bpf: Add support for changing congestion control 2017-07-01 16:15:14 -07:00
tunnel4.c tunnels: correct conditional build of MPLS and IPv6 2016-07-11 13:27:06 -07:00
udp_diag.c net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
udp_impl.h udp: make *udp*_queue_rcv_skb() functions static 2017-05-18 10:23:33 -04:00
udp_offload.c inet: Remove software UFO fragmenting code. 2017-07-17 09:52:58 -07:00
udp_tunnel.c net: Remove deprecated tunnel specific UDP offload functions 2016-06-17 20:23:32 -07:00
udp.c udp: preserve skb->dst if required for IP options processing 2017-07-18 12:00:13 -07:00
udplite.c udplite: call proper backlog handlers 2016-11-24 15:32:14 -05:00
xfrm4_input.c esp: Add a software GRO codepath 2017-02-15 11:04:11 +01:00
xfrm4_mode_beet.c networking: make skb_pull & friends return void pointers 2017-06-16 11:48:39 -04:00
xfrm4_mode_transport.c xfrm: Add encapsulation header offsets while SKB is not encrypted 2017-04-14 10:07:39 +02:00
xfrm4_mode_tunnel.c xfrm: Add encapsulation header offsets while SKB is not encrypted 2017-04-14 10:07:39 +02:00
xfrm4_output.c xfrm: Add an IPsec hardware offloading API 2017-04-14 10:06:10 +02:00
xfrm4_policy.c xfrm: remove flow cache 2017-07-18 11:13:41 -07:00
xfrm4_protocol.c xfrm: input: constify xfrm_input_afinfo 2017-02-09 10:22:17 +01:00
xfrm4_state.c xfrm: remove unused function 2017-01-10 10:57:12 +01:00
xfrm4_tunnel.c