On Tue, Sep 09, 2008 at 07:49:34AM +0200, Patrick McHardy wrote:

Alexey Dobriyan wrote:

quoted

Make per-netns a) expectation hash and b) expectations count.

Expectations always belongs to netns to which it's master conntrack belong.
This is natural and doesn't bloat expectation.

Proc files and leaf users are stubbed to init_net, this is temporary.

Looks fine, applied.

quoted

@@ -406,7 +404,7 @@ int nf_ct_expect_related(struct nf_conntrack_expect *expect)
 		}
 	}
 -	if (nf_ct_expect_count >= nf_ct_expect_max) {
+	if (net->ct.expect_count >= nf_ct_expect_max) {
 		if (net_ratelimit())
 			printk(KERN_WARNING
 			       "nf_conntrack: expectation table full\n");

I assume these message are globally visible even with namespaces?
Can we make this (and the corresponding ct hash message) refer to
the namespace? Otherwise it might be a bit confusing.

This is somewhat peculiar situation.

netns doesn't have unique ID like, say, ifindex.

The only number related to netns is "struct net *". They can be
distinguised by pointer value, but userspace when does clone(CLONE_NEWNET)
do not, obviously, control it and after creation doesn't have a way to find
it out.

And if we print with "%p, net" kernelspace pointer get exposed which is
not nice.