Harald Welte wrote:
> Hi!
> 
> I recently found out about your tool 'iptstate'.
> 
> First of all, I think it serves a good purpose, and it is definitely
> something that netfilter/iptables users need.

Thanks. I post new version the the netfilter mailing list...

> 1) reading /proc/net/ip_conntrack is currently (still) racy on SMP
>    boxes.  This means it cannot be used as reliable source.

I didn't know that. I'll put it in the docs of the next version. Thanks 
for the heads up.

> 2) reading /proc/net/ip_conntrack has a huge impact on the performance
>    of the conntrack system

Really? Also good to know.

> It would be fine if you could inform your users about those issues.
> Feel free to blame the netfilter/iptables developers, since it's our
> fault to offer such a broken interface in the first place.

Will do! =)

> I suggest to consider porting your application on top of ctnetlink (see
> libctnetlink in netfilter cvs and the nfnetlink-ctnetlink patch in
> patch-o-matic).

I might just do that. Do those libraries have hooks to do things like.. 
um, say remove a state from the state table? Its a commonly requested 
feature of iptstate.

> 3) The name of the application is misleading. iptables itself does not
>    track any state information.  it is ip_conntrack who does.  There is
>    almost no relation between both of them.

Sorry, but there's no way I'm renaming my app. =) I don't think its THAT 
misleading. ip_conntrack is an ip tables module. It's not some 
application that sits on top of any firewall, its very ip tables 
specific. It makes ip tables have stateful capabilities.

> Thanks for your attention,

Thanks for your comments!

-- 
Phil Dibowitz                             phil@ipom.com
Freeware and Technical Pages              Insanity Palace of Metallica
http://www.phildev.net/                   http://www.ipom.com/

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
  - Benjamin Franklin, 1759