tunable udp timeout (again)

[netfilter@interlinx.bc.ca]

[-- Attachment #1: Type: text/plain, Size: 1673 bytes --]

Just over a year ago I asked a question
(http://lists.netfilter.org/pipermail/netfilter-devel/2001-May/001217.html)
about whether the UDP (non-streaming -- i.e. session setup) timeout
could be configured on a rule-by-rule basis for protocols that require
more than the (default) 30 seconds to reply to a UDP request.

Daniel Stone replied
(http://lists.netfilter.org/pipermail/netfilter-devel/2001-May/001218.html):

  There was a long discussion about this (see: "[POLICY FLAW] UDP
  connection timeout" or somesuch), and it was decided that it
  wouldn't go in, and we'd all sit around waiting for a better
  solution to arrive :\

And Rusty also replied
(http://lists.netfilter.org/pipermail/netfilter-devel/2001-June/001350.html):

  It looks like the next approach to tweaking UDP should be a table
  inside the UDP module which defines behavior and timeouts for
  individual ports.  Of course, with a module param to modify/add to
  the table.

Has anything (more than
/proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout) been done about
this problem?  ip_conntrack_udp_timeout is good for the general case
of UDP timeouts, but when 99% of the traffic falls within that timeout
and only 1% needs a longer timeout, it would be better to be able to
configure that 1% as an exception.

I agree that "auto-determination" of the timeout using a table and
port numbers is ideal, but if I were to patch iptables and netfilter
to allow the specification of a timeout on the iptables command line
would it be rejected as not the right solution or would be accepted as
an interim solution to the lookup table?

b.

-- 
Brian J. Murrell

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]