From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Subject: Re: [RFC] alternative to conntrack ID Date: Sun, 05 Jun 2005 03:02:51 +0200 Message-ID: <42A24F3B.8050607@eurodev.net> References: <424747E3.7000300@eurodev.net> <42502F8D.5030504@trash.net> <4254258E.5000204@eurodev.net> <42627BC4.8070103@trash.net> <20050429080242.GJ9735@sunbeam.de.gnumonks.org> <42789366.20702@ufomechanic.net> <4278B23A.7050406@trash.net> <4278B98E.7090707@ufomechanic.net> <427B8A46.8090006@trash.net> <427D26E7.8060701@ingate.com> <427D3EAF.3020200@trash.net> <427D41FA.5080506@ingate.com> <1115648236.25627.17.camel@nienna.balabit> <428A1807.8070708@ufomechanic.net> <428A5141.20901@trash.net> <42A23EDA.2090307@eurodev.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Netfilter Development Mailinglist , Patrick McHardy , Jozsef Kadlecsik Return-path: To: Pablo Neira In-Reply-To: <42A23EDA.2090307@eurodev.net> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org Pablo Neira wrote: > I'd definitely like to have such accuracy, but I still see this incident > unlikely. I think that such TCP stack must be broken if it starts a > brand new connection using the same source/destination ports that it's > recently used. Forget this, this can happen in an attempt to reopen a closed connection, and such case is likely. We need such ID in order to achieve accuracy. I think that it must be the user who has to choose if he wants accuracy or not, in such case we have to provide the corresponding methods to achieve it. A user could kill a conntrack by means of: a) the tuples, if he doesn't want accuracy b) the tuples + the id, if he does. -- Pablo