* Eric Leblond wrote, On 21/02/07 13:13:
> Hi,
>
> Le mercredi 21 février 2007 à 13:51 +0100, Pablo Neira
Ayuso a écrit :
>> Hi Eric,
>>
>> I don't see why you may need the mark in the
destroy message. You can
>> keep a cache in userspace with the connections that
belong to a certain
>> subset and their marks, then if the mark changes,
move such connection
>> the a different subset. It doesn't make sense to me
the idea of
>> including the mark in the destroy message since
such mark didn't change
>> with regards to the previous event delivered.
>
> I do not agree with the idea of having a cache in
userspace. It has been
> coded in kernel and for this kind of stuff, once is
enough. I really
> want to avoid all synchronisation problems we could
have to do this in
> userspace.
>
> Furthermore, mark exists to be able to create subset
for other tools
> like tc or ip.
I'm with Eric. I'm already using a patch like his.
Why keep a cache in user-space when there is already a cache
in
kernel-space?
There are two clear choices; the old ulogd that keeps a full
cache in
user space and receives every packet over netlink; or
conntrack that
keeps a whole cache in kernel-space, updates counters in
kernel space
and only sends significant updates over netlink.
To replicate the whole conntrack hash in user-space to avoid
sending a
couple of bytes over netlink on connection-destroy is to
seek after some
kind of optimization that I don't rightly understand.
Sam
|
