Illegal option `-i' with conntrack -I

Illegal option `-i' with conntrack -I

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 480 bytes --]

Hello,

It seems it is not possible to specify conntrack id while adding new 
conntrack. Is it intentionally?

# conntrack -I --orig-src 1.2.3.4 --orig-dst 1.2.3.5 --reply-src 2.3.4.5 --reply-dst 2.3.4.5 -p tcp --orig-port-src 1 --orig-port-dst 2 --reply-port-src 3 --reply-port-dst 5 -t 32323 -u ASSURED -i 99
conntrack v0.95: Illegal option `-i' with this command
Try `conntrack -h' or 'conntrack --help' for more information.

Best regards,


 				Krzysztof Olędzki

Re: Illegal option `-i' with conntrack -I

[KOVACS Krisztian]

  Hi,

On Thursday 03 November 2005 14.36, Krzysztof Oledzki wrote:
> It seems it is not possible to specify conntrack id while adding new
> conntrack. Is it intentionally?
>
> # conntrack -I --orig-src 1.2.3.4 --orig-dst 1.2.3.5 --reply-src
> 2.3.4.5 --reply-dst 2.3.4.5 -p tcp --orig-port-src 1 --orig-port-dst
> 2 --reply-port-src 3 --reply-port-dst 5 -t 32323 -u ASSURED -i 99
> conntrack v0.95: Illegal option `-i' with this command
> Try `conntrack -h' or 'conntrack --help' for more information.

  I guess it's intentional. For the netlink dump to work you need the 
IDs of conntrack entries to be unique and monotonously increasing, and 
that's what setting the ID from userspace could ruin.

-- 
 Regards,
  Krisztian Kovacs

Re: Illegal option `-i' with conntrack -I

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 912 bytes --]



On Thu, 3 Nov 2005, KOVACS Krisztian wrote:

>
>  Hi,
>
> On Thursday 03 November 2005 14.36, Krzysztof Oledzki wrote:
>> It seems it is not possible to specify conntrack id while adding new
>> conntrack. Is it intentionally?
>>
>> # conntrack -I --orig-src 1.2.3.4 --orig-dst 1.2.3.5 --reply-src
>> 2.3.4.5 --reply-dst 2.3.4.5 -p tcp --orig-port-src 1 --orig-port-dst
>> 2 --reply-port-src 3 --reply-port-dst 5 -t 32323 -u ASSURED -i 99
>> conntrack v0.95: Illegal option `-i' with this command
>> Try `conntrack -h' or 'conntrack --help' for more information.
>
>  I guess it's intentional. For the netlink dump to work you need the
> IDs of conntrack entries to be unique and monotonously increasing, and
> that's what setting the ID from userspace could ruin.

So netlink will never allow to save & restore exact status of 
the ip_conntrack?

Best regards,

 				Krzysztof Olędzki

Re: Illegal option `-i' with conntrack -I

[KOVACS Krisztian]

  Hi,

On Thursday 03 November 2005 15.12, Krzysztof Oledzki wrote:
> > On Thursday 03 November 2005 14.36, Krzysztof Oledzki wrote:
> >> It seems it is not possible to specify conntrack id while adding
> >> new conntrack. Is it intentionally?
> >
> >  I guess it's intentional. For the netlink dump to work you need
> > the IDs of conntrack entries to be unique and monotonously
> > increasing, and that's what setting the ID from userspace could
> > ruin.
>
> So netlink will never allow to save & restore exact status of
> the ip_conntrack?

  Apart from the netlink interface nothing uses the ID, so obviously 
there's no way it could have any influence on connection tracking or 
packet classification. But then what's the point in restoring it?

-- 
 Regards,
  Krisztian Kovacs

Re: Illegal option `-i' with conntrack -I

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1229 bytes --]



On Thu, 3 Nov 2005, KOVACS Krisztian wrote:

>
>  Hi,
>
> On Thursday 03 November 2005 15.12, Krzysztof Oledzki wrote:
>>> On Thursday 03 November 2005 14.36, Krzysztof Oledzki wrote:
>>>> It seems it is not possible to specify conntrack id while adding
>>>> new conntrack. Is it intentionally?
>>>
>>>  I guess it's intentional. For the netlink dump to work you need
>>> the IDs of conntrack entries to be unique and monotonously
>>> increasing, and that's what setting the ID from userspace could
>>> ruin.
>>
>> So netlink will never allow to save & restore exact status of
>> the ip_conntrack?
>
>  Apart from the netlink interface nothing uses the ID, so obviously
> there's no way it could have any influence on connection tracking or
> packet classification. But then what's the point in restoring it?

For userspace I think... Of course if one day netlink will allow to 
preserve ip_conntrack between reboots or to synchronize two firewalls.

I think that netlink could easly check if selected ID is valid as it have 
to be bigger than last used one.

Anyway, there are more important problems like keeping tcp segment 
numbers, so no problem.


Best regards,

 				Krzysztof Olędzki