From: Pablo Neira <pablo@eurodev.net>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Netfilter Development Mailinglist
<netfilter-devel@lists.netfilter.org>,
Patrick McHardy <kaber@trash.net>
Subject: Re: [RFC] alternative to conntrack ID
Date: Sun, 05 Jun 2005 01:52:58 +0200 [thread overview]
Message-ID: <42A23EDA.2090307@eurodev.net> (raw)
In-Reply-To: <Pine.LNX.4.58.0505180948180.9582@blackhole.kfki.hu>
Jozsef Kadlecsik wrote:
> On Tue, 17 May 2005, Patrick McHardy wrote:
>>Amin Azez wrote:
>>
>>>KOVACS Krisztian wrote:
>>>
>>>> Probably Patrick was referring to a possible problem where the
>>>>following happens: a new connection is established and destroyed in a
>>>>very short time. If a new connection with the same tuple is created
>>>>before the timestamp increases (which is perfectly possible IMHO if you
>>>>have some slow embedded HW with no high precision timer available)
>>
>>Exactly.
>>
>>>After further reading I think this scenario is highly unlikely.
>>
>>Unlikely is still enough reason to handle it properly in an API.
>>Otherwise anything you build on top of it has to take this into
>>account for any guarantees it would like to give. And so far, I
>>haven't even seen a suggestion how to notice it - which would
>>also be fine with me.
>
> I think we should not state any guarantee here. Conntrack entries are
> uniquely identified by tuples, that's all we should say.
>
> There *is* a certain ambiquity, when, during te kernel-userspace
> communication, a conntrack entry is deleted and a new one with the same
> tuples is created, but that can be documented clearly.
>
> In order to create unique identification of conntrack entries, there were
> a couple of clever suggestions, all of them burdened by something:
>
> - timer based solutions may be not fine-grained enough
> - pointer of conntrack is not unique as it can be reused
> - id creates a new possible bottleneck
>
> What wrong can happen, if a reborn conntrack entry is deleted instead of
> the original one?
>
> If the conntrack entry is to be dropped due to a change in policy, then
> what we did is just fine! If there was a "stuck" conntrack entry and the
> admin was going to delete it manually but it went away and he deleted the
> new conntrack entry, that's an unfortunate event - but the user was in
> trouble anyway.
>
> So - do we really need such accuracy?
I want give another spin to this issue. A small digest about this ID thing:
+ The unique ID eats 8 extra bytes, since it will be an __u64. On my
laptop (1787 buckets, 14296 max), that makes 114368 extra bytes (worst
case).
+ "Slow" devices. As Krisztian and Patrick pointed out, a conntrack
could be destroyed while the user could be trying to kill it, then
another conntrack is created with the same tuples. Result: the user
kills a connection that he didn't mean to.
+ If we've got an ID, the user could decide it he wants such accuracy or
not to kill connections. If not, we would need to document this issue.
I'd definitely like to have such accuracy, but I still see this incident
unlikely. I think that such TCP stack must be broken if it starts a
brand new connection using the same source/destination ports that it's
recently used.
--
Pablo
next prev parent reply other threads:[~2005-06-04 23:52 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-27 23:55 [RFC] [PATCH] ctnetlink updates Pablo Neira
2005-04-01 6:59 ` Harald Welte
2005-04-03 18:01 ` Patrick McHardy
2005-04-06 18:08 ` Pablo Neira
2005-04-17 15:07 ` Patrick McHardy
2005-04-29 7:14 ` Jozsef Kadlecsik
2005-04-29 8:02 ` Harald Welte
2005-05-04 9:18 ` [RFC] alternative to conntrack ID Amin Azez
2005-05-04 9:32 ` Patrick Schaaf
2005-05-04 11:30 ` Patrick McHardy
2005-05-04 12:01 ` Amin Azez
2005-05-06 15:16 ` Patrick McHardy
2005-05-07 20:36 ` Marcus Sundberg
2005-05-07 22:18 ` Patrick McHardy
2005-05-07 22:32 ` Marcus Sundberg
2005-05-09 14:17 ` KOVACS Krisztian
2005-05-09 15:08 ` Amin Azez
2005-05-10 6:49 ` Harald Welte
2005-05-17 16:12 ` Amin Azez
2005-05-17 20:17 ` Patrick McHardy
2005-05-18 7:24 ` Amin Azez
2005-05-18 9:30 ` Jozsef Kadlecsik
2005-06-04 23:52 ` Pablo Neira [this message]
2005-06-05 1:02 ` Pablo Neira
2005-06-06 8:48 ` Jozsef Kadlecsik
2005-06-09 12:52 ` Pablo Neira
2005-06-09 13:00 ` Pablo Neira
2005-06-09 13:34 ` Jozsef Kadlecsik
2005-06-10 10:21 ` Pablo Neira
2005-06-13 7:41 ` Jozsef Kadlecsik
2005-06-14 2:30 ` Pablo Neira
2005-06-14 2:42 ` Patrick McHardy
2005-06-15 2:41 ` Pablo Neira
2005-06-20 16:04 ` Amin Azez
2005-06-20 16:12 ` Patrick McHardy
2005-06-22 9:09 ` Amin Azez
2005-06-22 9:30 ` Oscar Mechanic
2005-06-22 17:23 ` Patrick McHardy
2005-07-11 5:41 ` Harald Welte
2005-07-11 7:47 ` Patrick McHardy
2005-07-11 9:50 ` Pablo Neira
2005-06-06 8:17 ` Jozsef Kadlecsik
2005-05-18 6:45 ` Jozsef Kadlecsik
2005-05-18 7:08 ` Amin Azez
2005-05-18 7:17 ` Jozsef Kadlecsik
2005-05-11 8:43 ` Amin Azez
2005-05-01 23:49 ` [RFC] [PATCH] ctnetlink updates Pablo Neira
2005-05-02 10:47 ` Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42A23EDA.2090307@eurodev.net \
--to=pablo@eurodev.net \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.