From: Josh Samuelson <josamue1@wsc.edu>
To: Pablo Neira <pablo@eurodev.net>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: [PATCH] new match extension `flow'
Date: Sun, 7 Nov 2004 20:52:41 -0600 [thread overview]
Message-ID: <20041108025241.GA4850@wsc.edu> (raw)
In-Reply-To: <418CEB7A.9080505@eurodev.net>
Hi Pablo,
On Sat, Nov 06, 2004 at 04:19:22PM +0100, Pablo Neira wrote:
> Hi Josh,
> please, don't forget that we are still discussing the event API. As this
> new match goes on top of it, we can hold this patch until the event API
> is pushed forward. Then we'll go back this point.
Indeed.
>
> Some comments:
>
> >diff -Pru linux-2.6.9/include/linux/netfilter_ipv4/ip_cte_flow.h
> >linux-2.6.9-flow/include/linux/netfilter_ipv4/ip_cte_flow.h
> >--- linux-2.6.9/include/linux/netfilter_ipv4/ip_cte_flow.h 1969-12-31
> >18:00:00.000000000 -0600
> >+++ linux-2.6.9-flow/include/linux/netfilter_ipv4/ip_cte_flow.h 2004-11-03
> >19:10:13.000000000 -0600
> >
> >
>
> I see two possibilities here:
>
> a) move ip_cte_flow.[h|c] to ipt_flow.[h|c], matches always fit in a file.
> b) rename ip_cte_flow to ip_conntrack_flow_stats, this could be a module
> which generates stats about current connections going through the firewall.
>
> I need to give more spins to this issue.
>
> Any comments?
>
> Pablo
In regards to ip_cte_flow.[h|c], I wasn't sure how to handle this module
with respect to the filesystem namespace. Those files don't provide
any of the match functionality; it just tracks the flows from the CTE
API, exports a few functions, the linked list of flows and provides
"/proc/net/ip_cte_flow" file. All of which I'm sure you know by the
source, but just to provide some context for those who perhaps haven't
glanced at it. The main reason I called ip_cte_flow was because it's
built on/requires 'CTE' functionality. I figure there is the
potential for a lot of modules needing the CTE API and perhaps the need
to separate those files that require it into a differing filesystem
namespace that can't really be classified as a match/target, etc?
If you prefer ip_conntrack_flow_stats, I'm really not partial to
anything.
The ipt_flow.[h|c] file builds on top of the prior module to provide the
match functionality and to track network/mask based flows. I separated the
two because I can see the need to track the flows via /proc outside of the
iptables match. I.e. to just have a quick glance at who may be responsible
for a sudden burst of flows. Or to allow for other match modules
to build on top of it in ways that my simple match module lacks, etc.
Those are my thoughts on why I did things the way I did. :)
Cheers,
Josh
next prev parent reply other threads:[~2004-11-08 2:52 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-28 2:05 [PATCH] new match extension `flow' Josh Samuelson
2004-10-28 20:15 ` Josh Samuelson
2004-10-29 19:32 ` Pablo Neira
2004-10-31 6:38 ` Josh Samuelson
2004-10-31 14:41 ` Pablo Neira
2004-11-04 2:20 ` Josh Samuelson
2004-11-06 15:19 ` Pablo Neira
2004-11-08 2:52 ` Josh Samuelson [this message]
2004-11-10 18:12 ` Pablo Neira
2004-11-13 22:12 ` Pablo Neira
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20041108025241.GA4850@wsc.edu \
--to=josamue1@wsc.edu \
--cc=netfilter-devel@lists.netfilter.org \
--cc=pablo@eurodev.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.