From: Amin Azez <azez@ufomechanic.net>
To: Patrick McHardy <kaber@trash.net>
Cc: Harald Welte <laforge@netfilter.org>,
Netfilter Development Mailinglist
<netfilter-devel@lists.netfilter.org>,
Pablo Neira <pablo@eurodev.net>,
KOVACS Krisztian <hidden@balabit.hu>
Subject: Re: [RFC] alternative to conntrack ID
Date: Wed, 18 May 2005 08:24:30 +0100 [thread overview]
Message-ID: <428AEDAE.3040406@ufomechanic.net> (raw)
In-Reply-To: <428A5141.20901@trash.net>
Patrick McHardy wrote:
>Amin Azez wrote:
>
>
>>KOVACS Krisztian wrote:
>>
>>
>>
>>> Probably Patrick was referring to a possible problem where the
>>>following happens: a new connection is established and destroyed in a
>>>very short time. If a new connection with the same tuple is created
>>>before the timestamp increases (which is perfectly possible IMHO if you
>>>have some slow embedded HW with no high precision timer available)
>>>
>>>
>
>Exactly.
>
>
>
>>After further reading I think this scenario is highly unlikely.
>>
>>
>
>Unlikely is still enough reason to handle it properly in an API.
>
>
By unlikely I didn't mean it would rarely happen I meant the hardware
with which it could ever happen is surely unlikely. (A different order
of unlikiness) However I guess your comment below still holds.
>Otherwise anything you build on top of it has to take this into
>account for any guarantees it would like to give. And so far, I
>haven't even seen a suggestion how to notice it - which would
>also be fine with me.
>
>
One such suggestion is: IFF the conntrack is to be destroyed in the same
clock tick as it was created, to instead destroy the conntrack one clock
tick later through death-by-timeout. Then the new conntrack would have
to be created (although the same clock tick) with a different internal
conntrack id.
The costs of this would only be borne when such unusual hardware was in
use, and when the problem case came up, but the internal conntrack id
could then be used in conjunction with the timestamp to form a unique
qualifier that (takes deep breath) could be used with the tuple to
recognize a specific conntrack instance. It would require no extra
storage but increase the amount of data sent though the netlink socket.
This would still offer some slight benefit over a public conntrack
serial number in that it would also allow conntrack creation time
matching in iptables rules.
I do point out and wonder about the possibilities of a denial of service
though queueing lots of conntracks to be destroyed by timeout 1 tick
later but think this is hardly any worse than without a timeout in practice.
Another hacky "policy" fix would be to drop the SYN packet that would
re-create the conntrack in the same tick as its original creation and
let it be sent again. Its barely normal behaviour to do such a thing,
such packets deserve to be dropped (for the sins of their parents? Hmm)
Would such packets get re-sent via a loopback interface? But then again
device that abuses themselves in such a way beyond the resolution of
their own timers are surely on drugs?
Amin
next prev parent reply other threads:[~2005-05-18 7:24 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-27 23:55 [RFC] [PATCH] ctnetlink updates Pablo Neira
2005-04-01 6:59 ` Harald Welte
2005-04-03 18:01 ` Patrick McHardy
2005-04-06 18:08 ` Pablo Neira
2005-04-17 15:07 ` Patrick McHardy
2005-04-29 7:14 ` Jozsef Kadlecsik
2005-04-29 8:02 ` Harald Welte
2005-05-04 9:18 ` [RFC] alternative to conntrack ID Amin Azez
2005-05-04 9:32 ` Patrick Schaaf
2005-05-04 11:30 ` Patrick McHardy
2005-05-04 12:01 ` Amin Azez
2005-05-06 15:16 ` Patrick McHardy
2005-05-07 20:36 ` Marcus Sundberg
2005-05-07 22:18 ` Patrick McHardy
2005-05-07 22:32 ` Marcus Sundberg
2005-05-09 14:17 ` KOVACS Krisztian
2005-05-09 15:08 ` Amin Azez
2005-05-10 6:49 ` Harald Welte
2005-05-17 16:12 ` Amin Azez
2005-05-17 20:17 ` Patrick McHardy
2005-05-18 7:24 ` Amin Azez [this message]
2005-05-18 9:30 ` Jozsef Kadlecsik
2005-06-04 23:52 ` Pablo Neira
2005-06-05 1:02 ` Pablo Neira
2005-06-06 8:48 ` Jozsef Kadlecsik
2005-06-09 12:52 ` Pablo Neira
2005-06-09 13:00 ` Pablo Neira
2005-06-09 13:34 ` Jozsef Kadlecsik
2005-06-10 10:21 ` Pablo Neira
2005-06-13 7:41 ` Jozsef Kadlecsik
2005-06-14 2:30 ` Pablo Neira
2005-06-14 2:42 ` Patrick McHardy
2005-06-15 2:41 ` Pablo Neira
2005-06-20 16:04 ` Amin Azez
2005-06-20 16:12 ` Patrick McHardy
2005-06-22 9:09 ` Amin Azez
2005-06-22 9:30 ` Oscar Mechanic
2005-06-22 17:23 ` Patrick McHardy
2005-07-11 5:41 ` Harald Welte
2005-07-11 7:47 ` Patrick McHardy
2005-07-11 9:50 ` Pablo Neira
2005-06-06 8:17 ` Jozsef Kadlecsik
2005-05-18 6:45 ` Jozsef Kadlecsik
2005-05-18 7:08 ` Amin Azez
2005-05-18 7:17 ` Jozsef Kadlecsik
2005-05-11 8:43 ` Amin Azez
2005-05-01 23:49 ` [RFC] [PATCH] ctnetlink updates Pablo Neira
2005-05-02 10:47 ` Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=428AEDAE.3040406@ufomechanic.net \
--to=azez@ufomechanic.net \
--cc=hidden@balabit.hu \
--cc=kaber@trash.net \
--cc=laforge@netfilter.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=pablo@eurodev.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.