Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp745987rdb; Fri, 22 Dec 2023 04:02:04 -0800 (PST) X-Google-Smtp-Source: AGHT+IG1ivQmiZS790iJuOj41nvkkiAuK5Ct7ZlE0MfIfYK1c2imrSoHPzokfqfz2NPXhJ3+2/Mc X-Received: by 2002:a17:906:6d06:b0:a22:dc71:769b with SMTP id m6-20020a1709066d0600b00a22dc71769bmr722292ejr.137.1703246524572; Fri, 22 Dec 2023 04:02:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703246524; cv=none; d=google.com; s=arc-20160816; b=ef1A0fhA9OLX4eT/GVUvsTs+GzrkD5YM9lVdpbssLxyeOLyxKF8Tg3dmyruMn2l0CR n9Ccq0Wcja7tU7O0BEGKJiZdTMdjbEydX9nbRjd8Sd5ksMLZtanQ0jKfwjmeFMwSM2eQ nMUSCidQWrBcpqyvuwAAieKkz55ZPCBmQhKrRtkWONcQ3Rc/PhRxV90+PLYl2pxziLz2 GE3fcLO+ZdRA3LUNLYKrOPkpb2ao3Lm/VRdLWOh1oqWfpLlt2UtE91EY8bZrYaYbOboi JJTq0Ynmm75jXAIETVdQELW9b5zy0Rs0jmNFk0miUlppPbl//X88uWdpS0FOCtMVByWT 3krg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date; bh=ws6bbzIsEb2eULhk182MMpPWJCkVpDhFykrdPWKt764=; fh=HzV5w5t0x/Dkdo/FZGgbQQ665RvCgOHMyALNrZyIkag=; b=yLi4LYYU8rC1Bq67MelEmaycag28SCr6jhB8knziij2E4Wx0fFUyh3UvZWog2cflcv ZGLQn9G+3+gjFIx++JQm1lVmurvA2RWweKWLNs/Lsq+cDXuBLSOgg8BxYJFzv0MMOGPq iQ9rmDdkC1GxR2zQMKErNte/oXdjwZyW3s7noG+YA4Iy7hnpxKl7WK64Q48RYStzd1ob pnnezZdLMqKY+7J7u0Q1o8k2a18Uztr5P2NvBYI7MhtkqRrZwFgey6vWACD6jBTz0TMK 5gBXVXtcLDVx49ksUkbYt9/2k/mg1xdl4WI++/reJbYCKu6BlSn9qGRzT9E7nUWm+vFa 50fw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-9687-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-9687-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id oz19-20020a170906cd1300b00a23761cb0bcsi1803368ejb.790.2023.12.22.04.02.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Dec 2023 04:02:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-9687-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-9687-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-9687-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 4D1511F260C5 for ; Fri, 22 Dec 2023 12:02:04 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 840191803D; Fri, 22 Dec 2023 12:01:18 +0000 (UTC) X-Original-To: linux-kernel@vger.kernel.org Received: from ganesha.gnumonks.org (ganesha.gnumonks.org [213.95.27.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1F01B1A707; Fri, 22 Dec 2023 12:01:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gnumonks.org Received: from [78.30.43.141] (port=37472 helo=gnumonks.org) by ganesha.gnumonks.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rGeDG-005iDe-Rv; Fri, 22 Dec 2023 13:01:12 +0100 Date: Fri, 22 Dec 2023 13:01:10 +0100 From: Pablo Neira Ayuso To: Felix Huettner Cc: linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net, edumazet@google.com, pabeni@redhat.com, shuah@kernel.org, luca.czesla@mail.schwarz, max.lamprecht@mail.schwarz Subject: Re: [PATCH net-next v2] net: ctnetlink: support filtering by zone Message-ID: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Spam-Score: -1.8 (-) On Mon, Nov 27, 2023 at 11:49:16AM +0000, Felix Huettner wrote: > conntrack zones are heavily used by tools like openvswitch to run > multiple virtual "routers" on a single machine. In this context each > conntrack zone matches to a single router, thereby preventing > overlapping IPs from becoming issues. > In these systems it is common to operate on all conntrack entries of a > given zone, e.g. to delete them when a router is deleted. Previously this > required these tools to dump the full conntrack table and filter out the > relevant entries in userspace potentially causing performance issues. > > To do this we reuse the existing CTA_ZONE attribute. This was previous > parsed but not used during dump and flush requests. Now if CTA_ZONE is > set we filter these operations based on the provided zone. > However this means that users that previously passed CTA_ZONE will > experience a difference in functionality. > > Alternatively CTA_FILTER could have been used for the same > functionality. However it is not yet supported during flush requests and > is only available when using AF_INET or AF_INET6. For the record, this is applied to nf-next.