* ip_conntrack-timeouts conflicts with tcp-window-tracking
@ 2002-10-25 20:34 netfilter
2002-10-28 11:29 ` Jozsef Kadlecsik
0 siblings, 1 reply; 3+ messages in thread
From: netfilter @ 2002-10-25 20:34 UTC (permalink / raw)
To: Netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 3079 bytes --]
Which should I prefer, or should I merge them by taking the bulk of
the tcp-window-tracking patch and replace the references to timeout
constants with the sysctl controlled timeout values that
ip_conntrack-timeouts provides?
So for an example, tcp-window-tracking has this patch:
--- linux-2.4.19-base/net/ipv4/netfilter/ip_conntrack_proto_udp.c Fri Oct 18 11:38:10 2002
+++ linux-2.4.19-tcp-window/net/ipv4/netfilter/ip_conntrack_proto_udp.c Fri Oct 18 11:56:35 2002
@@ -6,6 +6,9 @@
#include <linux/udp.h>
#include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
#include <linux/netfilter_ipv4/ip_conntrack_udp.h>
+
+unsigned long ip_ct_udp_timeout = 30*HZ;
+unsigned long ip_ct_udp_timeout_stream = 180*HZ;
static int udp_pkt_to_tuple(const void *datah, size_t datalen,
struct ip_conntrack_tuple *tuple)
@@ -52,11 +52,11 @@
/* If we've seen traffic both ways, this is some kind of UDP
stream. Extend timeout. */
if (conntrack->status & IPS_SEEN_REPLY) {
- ip_ct_refresh(conntrack, UDP_STREAM_TIMEOUT);
+ ip_ct_refresh(conntrack, ip_ct_udp_timeout_stream);
/* Also, more likely to be important, and not a probe */
set_bit(IPS_ASSURED_BIT, &conntrack->status);
} else
- ip_ct_refresh(conntrack, UDP_TIMEOUT);
+ ip_ct_refresh(conntrack, ip_ct_udp_timeout);
return NF_ACCEPT;
}
But, ip_conntrack-timeouts has this conflicting patch:
--- linux-2.4.20-pre7.orig/net/ipv4/netfilter/ip_conntrack_proto_udp.c 2002-09-14 20:08:16.000000000 +0200
+++ linux-2.4.20-pre7/net/ipv4/netfilter/ip_conntrack_proto_udp.c 2002-09-19 21:57:47.000000000 +0200
@@ -5,9 +5,7 @@
#include <linux/in.h>
#include <linux/udp.h>
#include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
-
-#define UDP_TIMEOUT (30*HZ)
-#define UDP_STREAM_TIMEOUT (180*HZ)
+#include <linux/netfilter_ipv4/ip_conntrack_udp.h>
static int udp_pkt_to_tuple(const void *datah, size_t datalen,
struct ip_conntrack_tuple *tuple)
@@ -52,11 +50,13 @@
/* If we've seen traffic both ways, this is some kind of UDP
stream. Extend timeout. */
if (conntrack->status & IPS_SEEN_REPLY) {
- ip_ct_refresh(conntrack, UDP_STREAM_TIMEOUT);
+ ip_ct_refresh(conntrack,
+ sysctl_ip_conntrack_udp_timeouts[UDP_STREAM_TIMEOUT]);
/* Also, more likely to be important, and not a probe */
set_bit(IPS_ASSURED_BIT, &conntrack->status);
} else
- ip_ct_refresh(conntrack, UDP_TIMEOUT);
+ ip_ct_refresh(conntrack,
+ sysctl_ip_conntrack_udp_timeouts[UDP_TIMEOUT]);
return NF_ACCEPT;
}
I sure like the idea of the tcp window tracking patch and would like it,
but I also like being able to control timeouts via sysctl rather than
having to use defined constants.
Would there be any danger in merging these two features manually into my
kernel source?
b.
--
Brian J. Murrell
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ip_conntrack-timeouts conflicts with tcp-window-tracking
2002-10-25 20:34 ip_conntrack-timeouts conflicts with tcp-window-tracking netfilter
@ 2002-10-28 11:29 ` Jozsef Kadlecsik
2002-10-28 12:14 ` netfilter
0 siblings, 1 reply; 3+ messages in thread
From: Jozsef Kadlecsik @ 2002-10-28 11:29 UTC (permalink / raw)
To: netfilter; +Cc: Netfilter-devel
On Fri, 25 Oct 2002 netfilter@interlinx.bc.ca wrote:
> Which should I prefer, or should I merge them by taking the bulk of
> the tcp-window-tracking patch and replace the references to timeout
> constants with the sysctl controlled timeout values that
> ip_conntrack-timeouts provides?
[...]
> I sure like the idea of the tcp window tracking patch and would like it,
> but I also like being able to control timeouts via sysctl rather than
> having to use defined constants.
The tcp-window-tracking patch do provide sysctl control of all the timeout
parameters. Please read the help file.
Regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: ip_conntrack-timeouts conflicts with tcp-window-tracking
2002-10-28 11:29 ` Jozsef Kadlecsik
@ 2002-10-28 12:14 ` netfilter
0 siblings, 0 replies; 3+ messages in thread
From: netfilter @ 2002-10-28 12:14 UTC (permalink / raw)
To: Netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 539 bytes --]
On Mon, Oct 28, 2002 at 12:29:52PM +0100, Jozsef Kadlecsik wrote:
>
> The tcp-window-tracking patch do provide sysctl control of all the timeout
> parameters.
Indeed! After deeper examination of the tcp-window-tracking patch I
did discover that it provides a whole host of sysctlable values.
> Please read the help file.
Didn't need to. Read the source. :-)
Now I'm off to build and debug a kernel that does not give me an
"Invalid argument" when trying to add nat table rules.
Thanx,
b.
--
Brian J. Murrell
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2002-10-28 12:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-10-25 20:34 ip_conntrack-timeouts conflicts with tcp-window-tracking netfilter
2002-10-28 11:29 ` Jozsef Kadlecsik
2002-10-28 12:14 ` netfilter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.