Re: ctnetlink questions

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira <pablo@eurodev.net>
To: Harald Welte <laforge@netfilter.org>,
	netfilter-devel@lists.netfilter.org
Subject: Re: ctnetlink questions
Date: Mon, 09 Feb 2004 11:33:21 +0100	[thread overview]
Message-ID: <402761F1.5070402@eurodev.net> (raw)
In-Reply-To: <20040206185242.GM2312@obroa-skai.de.gnumonks.org>

Hi!

I've been working on an API to add, update conntrack entries since fall 
2003, it's
my final proyect at the university. It's still experimental and it's far 
from Harald and Jozsef
work because of their experience in that matter. Anyway I promise to 
post that patch.

Harald Welte wrote:

>>Because it is not long-term unique. With the tuple approach the
>>administrator risks hitting another connection if the originally intended
>>connection has already been destroyed and replaced by a new connection
>>with the same address details.
>>    
>>

well, I can't see any problem, anyway we could perform some checkings to 
avoid something like this:

- when a create entry message arrives we could check if there's a 
connection with the same address details by using 
ip_conntrack_find_get(...) and if it's found, update the ip_conntrack 
structure with the new info.

but by the means of the id we could have two conntrack structures with 
the same address info. I think that this duplicated info, actually I 
think that it's better considering that last info received about a 
connection is up to date and forget the state of the old one.

>well, but if the tuple is again the same tuple, chances are high the
>administrator actually wants to remove that new connection as much as
>the previous one.  In fact, apart from a short difference in time, they
>_are_ pretty much the same connection.
>  
>
>So from my point of view, the tuple is still sufficient.  Tuple can be
>used by userspace to identify a connection, tuple is used for
>replication messages in ct_sync.
>
>We can also guarantee, that all entries that
>	- existed before the dump started
>	- and still exist when the dump ended
>are actually dumped.
>
>We don't make any guarantees about connections that either started
>within that timeframe, or have been terminated within that timeframe.
>
>I would really like to see the ordered list and id disappear.
>  
>
I agree with Harald, actually I think that adding a new id and that 
ordered stuff will complicate
the current structure, I would prefer redesigning the current structure 
of the conntrack table than adding those fields.

best regards,
Pablo

next prev parent reply	other threads:[~2004-02-09 10:33 UTC|newest]

Thread overview: 40+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20031019171851.GR21521@sunbeam.de.gnumonks.org>
2003-10-19 19:36 ` ctnetlink questions Patrick McHardy
2003-10-19 20:28   ` Harald Welte
2003-10-19 22:55     ` Patrick McHardy
2003-10-20  1:05       ` Henrik Nordstrom
2003-10-20  3:01         ` Patrick McHardy
2003-10-20  3:09           ` Patrick McHardy
2003-10-20  6:34           ` Henrik Nordstrom
2003-10-20 17:53             ` Patrick McHardy
2003-10-20  7:15           ` Harald Welte
2003-10-20  9:37             ` Henrik Nordstrom
2003-10-20 18:43               ` Patrick McHardy
2003-10-20 18:37                 ` Harald Welte
2003-10-20 19:17                   ` Patrick McHardy
2003-10-20 19:41                   ` Balazs Scheidler
2003-10-20 20:20                     ` Patrick McHardy
2003-10-20 22:59                       ` Harald Welte
2003-10-20 18:17             ` Patrick McHardy
2003-10-20 18:39               ` Harald Welte
2003-10-20 19:21                 ` Patrick McHardy
2003-10-21 16:47                 ` Patrick McHardy
2003-10-21 19:54                   ` Henrik Nordstrom
2003-10-21 20:00                     ` Patrick McHardy
2003-10-20 18:52               ` Harald Welte
2003-10-20 19:52                 ` Patrick McHardy
2003-10-20 23:09                   ` Harald Welte
2003-10-20  7:04         ` Harald Welte
2003-10-20  7:17         ` Jozsef Kadlecsik
2003-10-20  9:29           ` Henrik Nordstrom
2004-02-06 18:52             ` Harald Welte
2004-02-09 10:33               ` Pablo Neira [this message]
2004-02-10 12:39               ` Patrick McHardy
2004-02-14 20:03                 ` Harald Welte
2004-02-15 10:01                   ` Patrick McHardy
2004-02-17 21:37                     ` Harald Welte
2003-10-20 14:48           ` Harald Welte
2003-10-20 18:53             ` Patrick McHardy
2003-10-20 22:57               ` Harald Welte
2003-10-20 11:11         ` Jozsef Kadlecsik
2003-10-20  6:58       ` Harald Welte
2003-10-19 14:54 Harald Welte

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=402761F1.5070402@eurodev.net \
    --to=pablo@eurodev.net \
    --cc=laforge@netfilter.org \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.