Comments on iptstate

Comments on iptstate

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1391 bytes --]

Hi!

I recently found out about your tool 'iptstate'.

First of all, I think it serves a good purpose, and it is definitely
something that netfilter/iptables users need.

However, two comments:

1) reading /proc/net/ip_conntrack is currently (still) racy on SMP
   boxes.  This means it cannot be used as reliable source.

2) reading /proc/net/ip_conntrack has a huge impact on the performance
   of the conntrack system

It would be fine if you could inform your users about those issues.
Feel free to blame the netfilter/iptables developers, since it's our
fault to offer such a broken interface in the first place.

I suggest to consider porting your application on top of ctnetlink (see
libctnetlink in netfilter cvs and the nfnetlink-ctnetlink patch in
patch-o-matic).

3) The name of the application is misleading. iptables itself does not
   track any state information.  it is ip_conntrack who does.  There is
   almost no relation between both of them.

Thanks for your attention,

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Comments on iptstate

[Phil Dibowitz]

[-- Attachment #1: Type: text/plain, Size: 2015 bytes --]

Harald Welte wrote:
> Hi!
> 
> I recently found out about your tool 'iptstate'.
> 
> First of all, I think it serves a good purpose, and it is definitely
> something that netfilter/iptables users need.

Thanks. I post new version the the netfilter mailing list...

> 1) reading /proc/net/ip_conntrack is currently (still) racy on SMP
>    boxes.  This means it cannot be used as reliable source.

I didn't know that. I'll put it in the docs of the next version. Thanks 
for the heads up.

> 2) reading /proc/net/ip_conntrack has a huge impact on the performance
>    of the conntrack system

Really? Also good to know.

> It would be fine if you could inform your users about those issues.
> Feel free to blame the netfilter/iptables developers, since it's our
> fault to offer such a broken interface in the first place.

Will do! =)

> I suggest to consider porting your application on top of ctnetlink (see
> libctnetlink in netfilter cvs and the nfnetlink-ctnetlink patch in
> patch-o-matic).

I might just do that. Do those libraries have hooks to do things like.. 
um, say remove a state from the state table? Its a commonly requested 
feature of iptstate.

> 3) The name of the application is misleading. iptables itself does not
>    track any state information.  it is ip_conntrack who does.  There is
>    almost no relation between both of them.

Sorry, but there's no way I'm renaming my app. =) I don't think its THAT 
misleading. ip_conntrack is an ip tables module. It's not some 
application that sits on top of any firewall, its very ip tables 
specific. It makes ip tables have stateful capabilities.

> Thanks for your attention,

Thanks for your comments!

-- 
Phil Dibowitz                             phil@ipom.com
Freeware and Technical Pages              Insanity Palace of Metallica
http://www.phildev.net/                   http://www.ipom.com/

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
  - Benjamin Franklin, 1759


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]

Re: Comments on iptstate

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1834 bytes --]

On Sun, Feb 15, 2004 at 11:41:59PM -0800, Phil Dibowitz wrote:
> >I suggest to consider porting your application on top of ctnetlink (see
> >libctnetlink in netfilter cvs and the nfnetlink-ctnetlink patch in
> >patch-o-matic).
> 
> I might just do that. Do those libraries have hooks to do things like.. 
> um, say remove a state from the state table? Its a commonly requested 
> feature of iptstate.

yes, exactly.  that is possible using ctnetlink

> >3) The name of the application is misleading. iptables itself does not
> >   track any state information.  it is ip_conntrack who does.  There is
> >   almost no relation between both of them.
> 
> Sorry, but there's no way I'm renaming my app. =) I don't think its THAT 
> misleading. ip_conntrack is an ip tables module. It's not some 
> application that sits on top of any firewall, its very ip tables 
> specific. It makes ip tables have stateful capabilities.
> 

I didn't ask you to rename it, I just wanted to point that out.

Is is _NOT_ an iptables module, it is a netfilter module.  Thus it is a 
sibling descending from the same father (netfilter).  But technically,
they have nothing in common at all (rather than using the netfilter API
to receive packets, but a lot of people do that now).

It makes the network stack have state tracking.  That iptables is almost
it's only user is just a coincidence.

> Phil Dibowitz                             phil@ipom.com

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Comments on iptstate

[Phil Dibowitz]

[-- Attachment #1: Type: text/plain, Size: 625 bytes --]

Harald Welte wrote:
> yes, exactly.  that is possible using ctnetlink

OK. I'll look into a re-write. Perhaps it will give me a reason to 
change the major version number. =)

> I didn't ask you to rename it, I just wanted to point that out.

OK. Just checking. =) Thanks for the info.

-- 
Phil Dibowitz                             phil@ipom.com
Freeware and Technical Pages              Insanity Palace of Metallica
http://www.phildev.net/                   http://www.ipom.com/

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
  - Benjamin Franklin, 1759


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]