From: Amin Azez <azez@ufomechanic.net>
To: Harald Welte <laforge@netfilter.org>
Cc: Netfilter Development Mailinglist
<netfilter-devel@lists.netfilter.org>,
Pablo Neira <pablo@eurodev.net>,
Patrick McHardy <kaber@trash.net>
Subject: [RFC] alternative to conntrack ID
Date: Wed, 04 May 2005 10:18:30 +0100 [thread overview]
Message-ID: <42789366.20702@ufomechanic.net> (raw)
In-Reply-To: <20050429080242.GJ9735@sunbeam.de.gnumonks.org>
Harald Welte wrote:
> On Fri, Apr 29, 2005 at 09:14:16AM +0200, Jozsef Kadlecsik wrote:
>
>>I don't like id either. Conntrack can uniquely identified by
>>
>>- src/dst tuples, globally, even in a cluster
>>- the pointer of the conntrack entry, locally
>
> Yes, but not over time, i.e. if your cycle of reading the table and
> issuing a 'delete' is long enough, then you could remove a connection
> that was using the same tuple but was established meanwhile (after the
> old died). However looking at current timeouts, that would be more than
> one or two minutes delat between read and delete.
>
> My point of view is that we don't need the ID. If there is too much
> delay, well then the user has a certain risk. If we would call it
> 'deleting a flow' then we'd be safe, since a flow has no start and
> beginning, and multiple successive connections can comprise one flow ;)
I hope I am bringing a new angle to this and not the same old stuff.
With Pablo's new conntrack(-tool) there is an increased risk of this
race condition. No longer will a userspace application read the table
and "issue a delete" but it receives events via the netlink socket.
Any userspace tool tracking connections based on contrack events will
receive an event some time after a conntrack is destroyed, but possibly
after taking action on a new conntrack with the same tuples.
Here is an ascii art timeline with one of the failure cases
time+----+----+----+----+----+----+----+----+----+----+
destRoyed created again????
contrack *==*????????????????????????????????
netlink create event *
user prog create event *
netlink destroy event *
user prog create action * action may happen on new conntrack
user prog destroy event *
user prog destroy action * now we know we may have raced and lost
It is entirely possible that a new conntrack with the same tuples is
created before the user program can be aware the old one has been destroyed.
Defining multiple successive connections as "one flow" is convenient,
but as user space clients are notified of "interuptions and
restorations" to this "one flow", it would be also convenient if they
could safely take advantage of such notifications.
If an ID is not desirable as part of the tuple (and I can see that it is
not) perhaps a "created time-stamp" per conntrack would suffice as an
extra "guard" which MAY be provided to conntrack manipulation routines,
and if so provided MUST also be satisified for the operation to take place.
That is my suggestion. It does not introduce an alternative ID, it does
avoid the problem of race conditions.
Comments?
Amin
next prev parent reply other threads:[~2005-05-04 9:18 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-27 23:55 [RFC] [PATCH] ctnetlink updates Pablo Neira
2005-04-01 6:59 ` Harald Welte
2005-04-03 18:01 ` Patrick McHardy
2005-04-06 18:08 ` Pablo Neira
2005-04-17 15:07 ` Patrick McHardy
2005-04-29 7:14 ` Jozsef Kadlecsik
2005-04-29 8:02 ` Harald Welte
2005-05-04 9:18 ` Amin Azez [this message]
2005-05-04 9:32 ` [RFC] alternative to conntrack ID Patrick Schaaf
2005-05-04 11:30 ` Patrick McHardy
2005-05-04 12:01 ` Amin Azez
2005-05-06 15:16 ` Patrick McHardy
2005-05-07 20:36 ` Marcus Sundberg
2005-05-07 22:18 ` Patrick McHardy
2005-05-07 22:32 ` Marcus Sundberg
2005-05-09 14:17 ` KOVACS Krisztian
2005-05-09 15:08 ` Amin Azez
2005-05-10 6:49 ` Harald Welte
2005-05-17 16:12 ` Amin Azez
2005-05-17 20:17 ` Patrick McHardy
2005-05-18 7:24 ` Amin Azez
2005-05-18 9:30 ` Jozsef Kadlecsik
2005-06-04 23:52 ` Pablo Neira
2005-06-05 1:02 ` Pablo Neira
2005-06-06 8:48 ` Jozsef Kadlecsik
2005-06-09 12:52 ` Pablo Neira
2005-06-09 13:00 ` Pablo Neira
2005-06-09 13:34 ` Jozsef Kadlecsik
2005-06-10 10:21 ` Pablo Neira
2005-06-13 7:41 ` Jozsef Kadlecsik
2005-06-14 2:30 ` Pablo Neira
2005-06-14 2:42 ` Patrick McHardy
2005-06-15 2:41 ` Pablo Neira
2005-06-20 16:04 ` Amin Azez
2005-06-20 16:12 ` Patrick McHardy
2005-06-22 9:09 ` Amin Azez
2005-06-22 9:30 ` Oscar Mechanic
2005-06-22 17:23 ` Patrick McHardy
2005-07-11 5:41 ` Harald Welte
2005-07-11 7:47 ` Patrick McHardy
2005-07-11 9:50 ` Pablo Neira
2005-06-06 8:17 ` Jozsef Kadlecsik
2005-05-18 6:45 ` Jozsef Kadlecsik
2005-05-18 7:08 ` Amin Azez
2005-05-18 7:17 ` Jozsef Kadlecsik
2005-05-11 8:43 ` Amin Azez
2005-05-01 23:49 ` [RFC] [PATCH] ctnetlink updates Pablo Neira
2005-05-02 10:47 ` Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42789366.20702@ufomechanic.net \
--to=azez@ufomechanic.net \
--cc=kaber@trash.net \
--cc=laforge@netfilter.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=pablo@eurodev.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.