* Having expectations live past the master connection's lifetime
@ 2012-06-07 17:34 Kelvie Wong
2012-06-12 17:56 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: Kelvie Wong @ 2012-06-07 17:34 UTC (permalink / raw)
To: netfilter-devel
Hello all,
I have noticed that expectations seem to get deleted as soon as their
master connection finishes their TIME_WAIT. Is there any way to have
expectations outlive their masters?
I need to have a dynamic port open (for DCERPC), and the initial
connection to the endpoint mapper is typically short-lived.
The way I was going to do this was to just add a rule with iptables
using a userspace helper; is there a better way to do this?
--
Kelvie Wong
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Having expectations live past the master connection's lifetime
2012-06-07 17:34 Having expectations live past the master connection's lifetime Kelvie Wong
@ 2012-06-12 17:56 ` Pablo Neira Ayuso
2012-06-12 18:04 ` Kelvie Wong
0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2012-06-12 17:56 UTC (permalink / raw)
To: Kelvie Wong; +Cc: netfilter-devel
On Thu, Jun 07, 2012 at 10:34:13AM -0700, Kelvie Wong wrote:
> Hello all,
>
> I have noticed that expectations seem to get deleted as soon as their
> master connection finishes their TIME_WAIT. Is there any way to have
> expectations outlive their masters?
Not yet.
> I need to have a dynamic port open (for DCERPC), and the initial
> connection to the endpoint mapper is typically short-lived.
>
> The way I was going to do this was to just add a rule with iptables
> using a userspace helper; is there a better way to do this?
We can skip removing these expectations by setting some flag in the
expectation. Still, we'll have to insert those expectations in some
list so we make sure that they are removed on module removal.
Another problem is that I cannot take that kernel patch if there's no
publicitly available Netfilter code using it.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Having expectations live past the master connection's lifetime
2012-06-12 17:56 ` Pablo Neira Ayuso
@ 2012-06-12 18:04 ` Kelvie Wong
0 siblings, 0 replies; 3+ messages in thread
From: Kelvie Wong @ 2012-06-12 18:04 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
On Tue, Jun 12, 2012 at 10:56 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> We can skip removing these expectations by setting some flag in the
> expectation. Still, we'll have to insert those expectations in some
> list so we make sure that they are removed on module removal.
Ah, I see. I think it would be easier to just insert an iptables rule
for what I want.
> Another problem is that I cannot take that kernel patch if there's no
> publicitly available Netfilter code using it.
That needn't be a problem, as I could probably add something, but I
think I'll just use iptables for this purpose.
Thanks for the reply, though.
--
Kelvie Wong
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-06-12 18:04 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-06-07 17:34 Having expectations live past the master connection's lifetime Kelvie Wong
2012-06-12 17:56 ` Pablo Neira Ayuso
2012-06-12 18:04 ` Kelvie Wong
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.