From: netfilter@interlinx.bc.ca
To: netfilter-devel@lists.netfilter.org
Subject: Re: How to create a "persistent" expectation with newnat?
Date: Wed, 26 Feb 2003 17:18:17 -0500 [thread overview]
Message-ID: <20030226221816.GA4557@pc.ilinx> (raw)
In-Reply-To: <200302262211.h1QMBUm21885@singularity.tronunltd.com>
[-- Attachment #1: Type: text/plain, Size: 1984 bytes --]
On Thu, Feb 27, 2003 at 08:11:29AM +1100, Ian Latter wrote:
>
> Howdy netfilter-dude,
Howdy pardner. :-)
> Wouldn't most of your problems go away if you set the expectation
> on the outbound connection?
I do that. And it works while there are outbound connections. But as
I described in my last message, there might be some time (quite a bit
of time in fact) between outgoing connections. Indeed, once you have
been on the network long enough and your address gets known to enough
other peers on the network, you will start to see enough incoming
connections that you no longer make outgoing connections to keep the
"minimum connections" count up.
Since there potentially can be no outgoing connections after the first
few, it is these incoming connections that need to keep the "flywheel"
(of inbound expectations) going.
> Ie. If I was to alter my rsh module to
> do gnutella, on what you've said below, I would look for the one
> outbound connection (client to server --- or client to universe in p2p),
> setup an expectation on the inbound connections (universe to client)
> for either an unlimited or numbered count of each type, then handle
> these connections.
But the expectation will go away when either of a) it times out, or b)
the master connection goes away. It is for both of these reasons that
the expectation needs to continually be renewed (even when your only
connections are inbound). It needs to be attached to an ESTABLISHED
connection and not be timed out.
> In this way you will also avoid hassles later with NAT ....
For inbound connections, I don't know that there are NAT issues yet.
I don't think anything in the payload needs to be altered. I have not
looked that deeply yet.
> So, generally, my feeling from netfilter is that you track the
> outbound and expect the inbound ...
Generally, I agree with you -- for protocols where this is in fact the
case.
b.
--
Brian J. Murrell
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2003-02-26 22:18 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-02-26 21:11 How to create a "persistent" expectation with newnat? Ian Latter
2003-02-26 22:18 ` netfilter [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-02-26 22:53 Ian Latter
2003-02-26 23:54 ` netfilter
2003-02-24 5:18 netfilter
2003-02-25 4:43 ` netfilter
2003-02-26 17:41 ` Harald Welte
2003-02-26 20:40 ` netfilter
2003-02-26 21:15 ` Harald Welte
2003-02-26 22:24 ` netfilter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030226221816.GA4557@pc.ilinx \
--to=netfilter@interlinx.bc.ca \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.