Re: [NEW TARGET] target for modifying conntrack timeout value

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira <pablo@eurodev.net>
To: Richard <richard@o-matrix.org>
Cc: 'Netfilter Development Mailinglist'
	<netfilter-devel@lists.netfilter.org>
Subject: Re: [NEW TARGET] target for modifying conntrack timeout value
Date: Wed, 15 Dec 2004 20:38:33 +0100	[thread overview]
Message-ID: <41C092B9.9020501@eurodev.net> (raw)
In-Reply-To: <EINSTEIN2Mb1s7nlT2N00000521@einstein.systemmetrics.com>

Richard wrote:

>>Some comments:
>>
>>a) I think that you should implement this thing as a match instead of a
>>target. Have a look at ipt_limit. It isn't actually matching anything
>>but, for example, you could use it together with nat targets. A match
>>gives you more flexibility.
>>    
>>
>Not sure that I follow you. This target changes the conntrack expire timer.
>For example, the default timeout for udp stream is 180 seconds. If I want to
>make it 3600 for sip (udp 5060) traffic, I would do,
>iptables -t mangle -A INPUT -p UDP --dport 5060 -j CTEXPIRE --ctexpire-set
>3600
>iptables -t mangle -A OUTPUT -p UDP --sport 5060 -j CTEXPIRE --ctexpire-set
>3600
>  
>

An example of what I mean:

iptables -A OUTPUT -m ctexpire --ctexpire-set 3600 -j ACCEPT

BTW, why can you only use this target in mangle? I think that it's safe 
using it elsewhere, except by the `raw' table where you can not.

>>b) About source code:
>>
>>+       if (!is_confirmed(ct)) {
>>           ^^^
>>remove this `if' condition. ip_ct_refresh worries about about this for
>>you and makes the thing more simple.
>>    
>>
>In order to increase or decrease the expire value, we need to get the
>current expire value. If it is !is_confirmed, the ct->timeout value is the
>real expire value. Otherwise, it is jiffies + expire value. Is there a
>function to get this value without checking is_confirmed?
>  
>

you are right, you need that for increments and decrements, forget this 
comment.

>>c) In checkentry:
>>
>>+       if (info->mode > IPT_CTEXPIRE_MAXMODE) {
>>+               printk(KERN_WARNING "CTEXPIRE: invalid or unknown Mode
>>%u\n",
>>+                       info->mode);
>>+               return 0;
>>+       }
>>+ [...]
>>+
>>+       if (info->expires * HZ < info->expires) {
>>+               /* if user specified value is too big, *HZ can overflow
>>the counter
>>+               */
>>+               printk(KERN_WARNING "CTEXPIRE: expire value too big,
>>will overflow counter: %ld\n", info->expires);
>>+               return 0;
>>+       }
>>
>>You should do those checkings in user space. Those error must be handle
>>in iptables, not in kernel.
>>    
>>
>It is already done in user space. It is probably redundant doing the same
>thing here. I will drop it.
>  
>

yes, it's redudant. Please, drop that.

--
Pablo

next prev parent reply	other threads:[~2004-12-15 19:38 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-12-13 21:10 [NEW TARGET] target for modifying conntrack timeout value Richard
2004-12-13 21:14 ` Pablo Neira
2004-12-15  0:25 ` Pablo Neira
2004-12-15  1:16   ` Richard
2004-12-15 19:38     ` Pablo Neira [this message]
2004-12-17 18:10       ` Richard
2005-01-02  0:22         ` Pablo Neira
2005-01-02  9:11           ` Richard
2005-01-02 13:15             ` Pablo Neira
2005-01-02 19:12               ` Richard
2005-01-02 19:35                 ` Tom Marshall
2005-01-02 19:42                   ` Richard
2005-01-02 22:24                   ` Richard
  -- strict thread matches above, loose matches on Subject: below --
2004-12-08 19:47 Richard
2004-12-08 20:09 ` Pablo Neira
2004-12-09  1:47   ` Richard

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=41C092B9.9020501@eurodev.net \
    --to=pablo@eurodev.net \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=richard@o-matrix.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.