* Comments on iptstate
@ 2004-02-15 19:07 Harald Welte
2004-02-16 7:41 ` Phil Dibowitz
0 siblings, 1 reply; 4+ messages in thread
From: Harald Welte @ 2004-02-15 19:07 UTC (permalink / raw)
To: phil; +Cc: Netfilter Development Mailinglist
[-- Attachment #1: Type: text/plain, Size: 1391 bytes --]
Hi!
I recently found out about your tool 'iptstate'.
First of all, I think it serves a good purpose, and it is definitely
something that netfilter/iptables users need.
However, two comments:
1) reading /proc/net/ip_conntrack is currently (still) racy on SMP
boxes. This means it cannot be used as reliable source.
2) reading /proc/net/ip_conntrack has a huge impact on the performance
of the conntrack system
It would be fine if you could inform your users about those issues.
Feel free to blame the netfilter/iptables developers, since it's our
fault to offer such a broken interface in the first place.
I suggest to consider porting your application on top of ctnetlink (see
libctnetlink in netfilter cvs and the nfnetlink-ctnetlink patch in
patch-o-matic).
3) The name of the application is misleading. iptables itself does not
track any state information. it is ip_conntrack who does. There is
almost no relation between both of them.
Thanks for your attention,
--
- Harald Welte <laforge@netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Comments on iptstate
2004-02-15 19:07 Comments on iptstate Harald Welte
@ 2004-02-16 7:41 ` Phil Dibowitz
2004-02-16 8:34 ` Harald Welte
0 siblings, 1 reply; 4+ messages in thread
From: Phil Dibowitz @ 2004-02-16 7:41 UTC (permalink / raw)
To: Harald Welte; +Cc: Netfilter Development Mailinglist
[-- Attachment #1: Type: text/plain, Size: 2015 bytes --]
Harald Welte wrote:
> Hi!
>
> I recently found out about your tool 'iptstate'.
>
> First of all, I think it serves a good purpose, and it is definitely
> something that netfilter/iptables users need.
Thanks. I post new version the the netfilter mailing list...
> 1) reading /proc/net/ip_conntrack is currently (still) racy on SMP
> boxes. This means it cannot be used as reliable source.
I didn't know that. I'll put it in the docs of the next version. Thanks
for the heads up.
> 2) reading /proc/net/ip_conntrack has a huge impact on the performance
> of the conntrack system
Really? Also good to know.
> It would be fine if you could inform your users about those issues.
> Feel free to blame the netfilter/iptables developers, since it's our
> fault to offer such a broken interface in the first place.
Will do! =)
> I suggest to consider porting your application on top of ctnetlink (see
> libctnetlink in netfilter cvs and the nfnetlink-ctnetlink patch in
> patch-o-matic).
I might just do that. Do those libraries have hooks to do things like..
um, say remove a state from the state table? Its a commonly requested
feature of iptstate.
> 3) The name of the application is misleading. iptables itself does not
> track any state information. it is ip_conntrack who does. There is
> almost no relation between both of them.
Sorry, but there's no way I'm renaming my app. =) I don't think its THAT
misleading. ip_conntrack is an ip tables module. It's not some
application that sits on top of any firewall, its very ip tables
specific. It makes ip tables have stateful capabilities.
> Thanks for your attention,
Thanks for your comments!
--
Phil Dibowitz phil@ipom.com
Freeware and Technical Pages Insanity Palace of Metallica
http://www.phildev.net/ http://www.ipom.com/
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Comments on iptstate
2004-02-16 7:41 ` Phil Dibowitz
@ 2004-02-16 8:34 ` Harald Welte
2004-02-16 9:51 ` Phil Dibowitz
0 siblings, 1 reply; 4+ messages in thread
From: Harald Welte @ 2004-02-16 8:34 UTC (permalink / raw)
To: Phil Dibowitz; +Cc: Netfilter Development Mailinglist
[-- Attachment #1: Type: text/plain, Size: 1834 bytes --]
On Sun, Feb 15, 2004 at 11:41:59PM -0800, Phil Dibowitz wrote:
> >I suggest to consider porting your application on top of ctnetlink (see
> >libctnetlink in netfilter cvs and the nfnetlink-ctnetlink patch in
> >patch-o-matic).
>
> I might just do that. Do those libraries have hooks to do things like..
> um, say remove a state from the state table? Its a commonly requested
> feature of iptstate.
yes, exactly. that is possible using ctnetlink
> >3) The name of the application is misleading. iptables itself does not
> > track any state information. it is ip_conntrack who does. There is
> > almost no relation between both of them.
>
> Sorry, but there's no way I'm renaming my app. =) I don't think its THAT
> misleading. ip_conntrack is an ip tables module. It's not some
> application that sits on top of any firewall, its very ip tables
> specific. It makes ip tables have stateful capabilities.
>
I didn't ask you to rename it, I just wanted to point that out.
Is is _NOT_ an iptables module, it is a netfilter module. Thus it is a
sibling descending from the same father (netfilter). But technically,
they have nothing in common at all (rather than using the netfilter API
to receive packets, but a lot of people do that now).
It makes the network stack have state tracking. That iptables is almost
it's only user is just a coincidence.
> Phil Dibowitz phil@ipom.com
--
- Harald Welte <laforge@netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Comments on iptstate
2004-02-16 8:34 ` Harald Welte
@ 2004-02-16 9:51 ` Phil Dibowitz
0 siblings, 0 replies; 4+ messages in thread
From: Phil Dibowitz @ 2004-02-16 9:51 UTC (permalink / raw)
To: Harald Welte; +Cc: Netfilter Development Mailinglist
[-- Attachment #1: Type: text/plain, Size: 625 bytes --]
Harald Welte wrote:
> yes, exactly. that is possible using ctnetlink
OK. I'll look into a re-write. Perhaps it will give me a reason to
change the major version number. =)
> I didn't ask you to rename it, I just wanted to point that out.
OK. Just checking. =) Thanks for the info.
--
Phil Dibowitz phil@ipom.com
Freeware and Technical Pages Insanity Palace of Metallica
http://www.phildev.net/ http://www.ipom.com/
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2004-02-16 9:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-02-15 19:07 Comments on iptstate Harald Welte
2004-02-16 7:41 ` Phil Dibowitz
2004-02-16 8:34 ` Harald Welte
2004-02-16 9:51 ` Phil Dibowitz
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.