git.baikalelectronics.ru Git - kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Fri, 28 Jul 2017 09:22:04 +0000 (11:22 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 31 Jul 2017 18:42:00 +0000 (20:42 +0200)
commit	28c04e80b006e82ce2c0c77c3c906fe612e9d674
tree	fa5d6caaf42b7bd0fb2915ac2e725098666b4b0b	tree \| snapshot
parent	3cf32b978f5e2231b720042c7d968164838a7fba	commit \| diff

netfilter: conntrack: do not enable connection tracking unless needed

Discussion during NFWS 2017 in Faro has shown that the current
conntrack behaviour is unreasonable.

Even if conntrack module is loaded on behalf of a single net namespace,
its turned on for all namespaces, which is expensive. Commit
0ce63d497ec ("netfilter: conntrack: add nf_conntrack_default_on sysctl")
attempted to provide an alternative to the 'default on' behaviour by
adding a sysctl to change it.

However, as Eric points out, the sysctl only becomes available
once the module is loaded, and then its too late.

So we either have to move the sysctl to the core, or, alternatively,
change conntrack to become active only once the rule set requires this.

This does the latter, conntrack is only enabled when a rule needs it.

Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Documentation/networking/nf_conntrack-sysctl.txt		diff \| blob \| history
include/net/netfilter/nf_conntrack_l3proto.h		diff \| blob \| history
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c		diff \| blob \| history
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c		diff \| blob \| history
net/netfilter/nf_conntrack_proto.c		diff \| blob \| history
net/netfilter/nf_conntrack_standalone.c		diff \| blob \| history