From: Amin Azez <azez@ufomechanic.net>
To: Pablo Neira <pablo@eurodev.net>
Cc: netfilter-devel@lists.netfilter.org
Subject: extending conntrack event data
Date: Thu, 21 Apr 2005 10:25:20 +0100 [thread overview]
Message-ID: <42677180.60003@ufomechanic.net> (raw)
In-Reply-To: <4266DB3A.8060106@eurodev.net>
I realise that I may be extending the scope of ctevent too far for some,
but I would like to make some more info available for conntrack events.
Specifically: mac addresses, and the time stamp associated with the skb
that triggered the conntrack event.
notifier_call_chain in include/linux/netfilter_ipv4/ip_conntrack.h
extacts the ip_conntrack from the skb and passes that to each event
callback.
As notifier_call_chain is not passed the addresses of any members of the
skb the callback can't use any container tricks to extract the skb address.
For my own convenience, and for compatability, I would like to modifer
notify_call_chain to pass the skb address as a 4th parameter so that
callback handlers may receive it. How do others feel about this?
Also, I realise that at the moment the mac member of an sk_buff presumes
that all mac info will be ethernet; however I would like to write clean
code that does not presume this will always be the case. What is the
best way to check from an sk_buff that the link layer is ethernet, or
rather that it is valid to presume that sk->mac.raw points to an ethhdr
(if not null)? The best I could think of was sk->inputdev but this
seems to have no members to indicate device type. Is it true that the
kernel only supports ethernet-type devices, or devices that masquerade
as ethernet type devices?
Finally, I know the issue of conntrack id's has been discussed before,
and that in kernel space the tuples are actually the best way to relate
skb's to conntracks. I realise that tuple contents could also be used to
maintain user-space references there is a race condition that exists; if
a user-space application requests some action on a conntrack or related
connection, because by the time this instruction is acted on in the
kernel it might be applied to a different actual connection with the
same tuple (previous connection has been closed). As netlink/netfilter
stuff introduces more user-space connection management capabilities, we
surely need to consider this problem?
Amin
next prev parent reply other threads:[~2005-04-21 9:25 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-19 13:37 nfnetlink/ctnetlink from pom-ng r3884 Wang Jian
2005-04-20 0:55 ` Pablo Neira
2005-04-21 8:21 ` Wang Jian
2005-04-21 11:05 ` Pablo Neira
2005-04-21 11:29 ` Wang Jian
2005-04-20 13:41 ` Amin Azez
2005-04-20 14:17 ` Samuel Liddicott
2005-04-20 22:44 ` Pablo Neira
2005-04-21 8:07 ` Amin Azez
2005-04-21 9:25 ` Amin Azez [this message]
2005-04-21 9:49 ` extending conntrack event data Amin Azez
2005-04-21 10:14 ` Wang Jian
2005-04-21 11:04 ` Pablo Neira
2005-04-25 13:51 ` Amin Azez
2005-04-25 16:35 ` IPCT_NEW comes from was " Amin Azez
2005-04-25 16:43 ` Amin Azez
2005-04-26 13:37 ` BUG/CONFLICT conntrack with preroute/postroute mangle table Samuel Liddicott
2005-04-26 13:38 ` Amin Azez
2005-05-05 11:08 ` Amin Azez
2005-05-05 13:36 ` RFC for fix? Was " Amin Azez
2005-05-05 16:05 ` Pablo Neira
2005-05-09 11:11 ` Amin Azez
2005-05-09 13:48 ` Amin Azez
2005-04-21 11:04 ` extending conntrack event data Amin Azez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42677180.60003@ufomechanic.net \
--to=azez@ufomechanic.net \
--cc=netfilter-devel@lists.netfilter.org \
--cc=pablo@eurodev.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.