From: Pablo Neira <pablo@eurodev.net>
To: Richard <richard@o-matrix.org>
Cc: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>
Subject: Re: [NEW TARGET] target for modifying conntrack timeout value
Date: Wed, 15 Dec 2004 01:25:05 +0100 [thread overview]
Message-ID: <41BF8461.3030405@eurodev.net> (raw)
In-Reply-To: <EINSTEINyo3DjFbUcOV00000275@einstein.systemmetrics.com>
Richard wrote:
>
>
>>-----Original Message-----
>>From: Richard [mailto:richard@o-matrix.org]
>>Sent: Wednesday, December 08, 2004 3:48 PM
>>To: 'Pablo Neira'
>>Cc: 'netfilter-devel@lists.netfilter.org'
>>Subject: RE: [NEW TARGET] target for modifying conntrack timeout value
>>
>>
>>
>>>+ ct->timeout.expires = new_expires;
>>> ^^^
>>>
>>>Hm I thought that I told you to use ip_ct_refresh... you should. Your
>>>target will look smarter and you can forget about proper locking...
>>>which is now completely broken...
>>>
>>>
>>Hi Pablo,
>>
>>Thanks for the comments. I made the modification and attached the latest
>>copy. Now it uses ip_ct_refresh. The target first reads the existing
>>expire value, then modify it. If there is something in between, the expire
>>value might get changed. Even worse, the conntrack state might change.
>>That's why I locked it first, then read and write, finally unlock. If it
>>is broken, there is no difference anyway...
>>
>>
>>
>
>Just wonder if there is any update on this please...
>
>
Some comments:
a) I think that you should implement this thing as a match instead of a
target. Have a look at ipt_limit. It isn't actually matching anything
but, for example, you could use it together with nat targets. A match
gives you more flexibility.
b) About source code:
+ if (!is_confirmed(ct)) {
^^^
remove this `if' condition. ip_ct_refresh worries about about this for
you and makes the thing more simple.
c) In checkentry:
+ if (info->mode > IPT_CTEXPIRE_MAXMODE) {
+ printk(KERN_WARNING "CTEXPIRE: invalid or unknown Mode
%u\n",
+ info->mode);
+ return 0;
+ }
+ [...]
+
+ if (info->expires * HZ < info->expires) {
+ /* if user specified value is too big, *HZ can overflow
the counter
+ */
+ printk(KERN_WARNING "CTEXPIRE: expire value too big,
will overflow counter: %ld\n", info->expires);
+ return 0;
+ }
You should do those checkings in user space. Those error must be handle
in iptables, not in kernel.
A minor aesthetic comment, a line must fit 80 columns, split longer
lines in two.
--
Pablo
next prev parent reply other threads:[~2004-12-15 0:25 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-13 21:10 [NEW TARGET] target for modifying conntrack timeout value Richard
2004-12-13 21:14 ` Pablo Neira
2004-12-15 0:25 ` Pablo Neira [this message]
2004-12-15 1:16 ` Richard
2004-12-15 19:38 ` Pablo Neira
2004-12-17 18:10 ` Richard
2005-01-02 0:22 ` Pablo Neira
2005-01-02 9:11 ` Richard
2005-01-02 13:15 ` Pablo Neira
2005-01-02 19:12 ` Richard
2005-01-02 19:35 ` Tom Marshall
2005-01-02 19:42 ` Richard
2005-01-02 22:24 ` Richard
-- strict thread matches above, loose matches on Subject: below --
2004-12-08 19:47 Richard
2004-12-08 20:09 ` Pablo Neira
2004-12-09 1:47 ` Richard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41BF8461.3030405@eurodev.net \
--to=pablo@eurodev.net \
--cc=netfilter-devel@lists.netfilter.org \
--cc=richard@o-matrix.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.