ip_conntrack-timeouts conflicts with tcp-window-tracking

[netfilter@interlinx.bc.ca]

[-- Attachment #1: Type: text/plain, Size: 3079 bytes --]

Which should I prefer, or should I merge them by taking the bulk of
the tcp-window-tracking patch and replace the references to timeout
constants with the sysctl controlled timeout values that
ip_conntrack-timeouts provides?

So for an example, tcp-window-tracking has this patch:

--- linux-2.4.19-base/net/ipv4/netfilter/ip_conntrack_proto_udp.c       Fri Oct 18 11:38:10 2002
+++ linux-2.4.19-tcp-window/net/ipv4/netfilter/ip_conntrack_proto_udp.c Fri Oct 18 11:56:35 2002
@@ -6,6 +6,9 @@
 #include <linux/udp.h>
 #include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
 #include <linux/netfilter_ipv4/ip_conntrack_udp.h>
+
+unsigned long ip_ct_udp_timeout = 30*HZ;
+unsigned long ip_ct_udp_timeout_stream = 180*HZ;
 
 static int udp_pkt_to_tuple(const void *datah, size_t datalen,
                struct ip_conntrack_tuple *tuple)
@@ -52,11 +52,11 @@
    /* If we've seen traffic both ways, this is some kind of UDP
       stream.  Extend timeout. */
    if (conntrack->status & IPS_SEEN_REPLY) {
-               ip_ct_refresh(conntrack, UDP_STREAM_TIMEOUT);
+               ip_ct_refresh(conntrack, ip_ct_udp_timeout_stream);
        /* Also, more likely to be important, and not a probe */
        set_bit(IPS_ASSURED_BIT, &conntrack->status);
    } else
-               ip_ct_refresh(conntrack, UDP_TIMEOUT);
+               ip_ct_refresh(conntrack, ip_ct_udp_timeout);
 
    return NF_ACCEPT;
 }

But, ip_conntrack-timeouts has this conflicting patch:

--- linux-2.4.20-pre7.orig/net/ipv4/netfilter/ip_conntrack_proto_udp.c  2002-09-14 20:08:16.000000000 +0200
+++ linux-2.4.20-pre7/net/ipv4/netfilter/ip_conntrack_proto_udp.c       2002-09-19 21:57:47.000000000 +0200
@@ -5,9 +5,7 @@
 #include <linux/in.h>
 #include <linux/udp.h>
 #include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
-
-#define UDP_TIMEOUT (30*HZ)
-#define UDP_STREAM_TIMEOUT (180*HZ)
+#include <linux/netfilter_ipv4/ip_conntrack_udp.h>
 
 static int udp_pkt_to_tuple(const void *datah, size_t datalen,
                struct ip_conntrack_tuple *tuple)
@@ -52,11 +50,13 @@
    /* If we've seen traffic both ways, this is some kind of UDP
       stream.  Extend timeout. */
    if (conntrack->status & IPS_SEEN_REPLY) {
-               ip_ct_refresh(conntrack, UDP_STREAM_TIMEOUT);
+               ip_ct_refresh(conntrack, 
+                       sysctl_ip_conntrack_udp_timeouts[UDP_STREAM_TIMEOUT]);
        /* Also, more likely to be important, and not a probe */
        set_bit(IPS_ASSURED_BIT, &conntrack->status);
    } else
-               ip_ct_refresh(conntrack, UDP_TIMEOUT);
+               ip_ct_refresh(conntrack, 
+                       sysctl_ip_conntrack_udp_timeouts[UDP_TIMEOUT]);
 
    return NF_ACCEPT;
 }


I sure like the idea of the tcp window tracking patch and would like it,
but I also like being able to control timeouts via sysctl rather than
having to use defined constants.

Would there be any danger in merging these two features manually into my
kernel source?

b.

-- 
Brian J. Murrell

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]