From: Pablo Neira <pablo@eurodev.net>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Netfilter Development Mailinglist
<netfilter-devel@lists.netfilter.org>,
Patrick McHardy <kaber@trash.net>
Subject: Re: [RFC] alternative to conntrack ID
Date: Thu, 09 Jun 2005 14:52:38 +0200 [thread overview]
Message-ID: <42A83B96.4050302@eurodev.net> (raw)
In-Reply-To: <Pine.LNX.4.58.0506061017330.16223@blackhole.kfki.hu>
Hi Jozsef,
Jozsef Kadlecsik wrote:
>>Pablo Neira wrote:
>>
>>>I'd definitely like to have such accuracy, but I still see this incident
>>>unlikely. I think that such TCP stack must be broken if it starts a
>>>brand new connection using the same source/destination ports that it's
>>>recently used.
>>
>>Forget this, this can happen in an attempt to reopen a closed
>>connection, and such case is likely. We need such ID in order to achieve
>>accuracy. I think that it must be the user who has to choose if he wants
>>accuracy or not, in such case we have to provide the corresponding
>>methods to achieve it. A user could kill a conntrack by means of:
>>
>>a) the tuples, if he doesn't want accuracy
>>b) the tuples + the id, if he does.
>
>
> I share your feelings about giving complete accurate access to the users
> over conntrack entries. Still, I'm not completely convinced about the
> practical usefulness of such accuracy. Let's therefore look at it again:
>
> a. Policy changed and admin wants to enforce the new policy on the living
> conntrack entries as well: here the id does not buy anything, tuples
> are just sufficient.
> b. Admin wants to kill a "stuck" conntrack entry, in order to make
> possible to build up a new connection. In my opinion that's just not
> the proper way to deal with the problem, conntrack should be able to
> handle such cases automatically. And I believe we worked very hard
> and that part is highly polished in conntrack in the recent 2.6
> tree, so that it's just a theoretical example ;-)
> c. conntrack table is full and admin wants to get rid of a bunch of
> entries manually. Somehow I don't think id would be very useful here
> either.
>
> Other possibilities?
>
> I do not think users should poke conntrack without very good reason, at
> their whim.
Agreed, those scenarios look pretty realistic.
But if the ID goes out, I'll have another concern.
ctnetlink_dump_table[_w] currently uses the ID to know where it's
stopped dumping the conntrack table, netlink dumping is not atomic. I
could increase the conntrack refcount and hold a pointer to it but if
timeout expires while returning data to user space, the conntrack won't
be in hashes anymore, so it couldn't continue the travel through the
conntrack table.
I thought about freezing the conntrack timer and active it once I
continue traversing the list. That could result in problems since
netlink dumping is not atomic, someone could interrupt the dumping and
that conntrack will be stuck there forever. Moreover, I don't like it.
All the things I've though so far are burned by something. The cleanest
way to do this looks the ID. Any other ideas?
P.D: Thanks to Krisztian Kovacs for the feedback.
--
Pablo
next prev parent reply other threads:[~2005-06-09 12:52 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-27 23:55 [RFC] [PATCH] ctnetlink updates Pablo Neira
2005-04-01 6:59 ` Harald Welte
2005-04-03 18:01 ` Patrick McHardy
2005-04-06 18:08 ` Pablo Neira
2005-04-17 15:07 ` Patrick McHardy
2005-04-29 7:14 ` Jozsef Kadlecsik
2005-04-29 8:02 ` Harald Welte
2005-05-04 9:18 ` [RFC] alternative to conntrack ID Amin Azez
2005-05-04 9:32 ` Patrick Schaaf
2005-05-04 11:30 ` Patrick McHardy
2005-05-04 12:01 ` Amin Azez
2005-05-06 15:16 ` Patrick McHardy
2005-05-07 20:36 ` Marcus Sundberg
2005-05-07 22:18 ` Patrick McHardy
2005-05-07 22:32 ` Marcus Sundberg
2005-05-09 14:17 ` KOVACS Krisztian
2005-05-09 15:08 ` Amin Azez
2005-05-10 6:49 ` Harald Welte
2005-05-17 16:12 ` Amin Azez
2005-05-17 20:17 ` Patrick McHardy
2005-05-18 7:24 ` Amin Azez
2005-05-18 9:30 ` Jozsef Kadlecsik
2005-06-04 23:52 ` Pablo Neira
2005-06-05 1:02 ` Pablo Neira
2005-06-06 8:48 ` Jozsef Kadlecsik
2005-06-09 12:52 ` Pablo Neira [this message]
2005-06-09 13:00 ` Pablo Neira
2005-06-09 13:34 ` Jozsef Kadlecsik
2005-06-10 10:21 ` Pablo Neira
2005-06-13 7:41 ` Jozsef Kadlecsik
2005-06-14 2:30 ` Pablo Neira
2005-06-14 2:42 ` Patrick McHardy
2005-06-15 2:41 ` Pablo Neira
2005-06-20 16:04 ` Amin Azez
2005-06-20 16:12 ` Patrick McHardy
2005-06-22 9:09 ` Amin Azez
2005-06-22 9:30 ` Oscar Mechanic
2005-06-22 17:23 ` Patrick McHardy
2005-07-11 5:41 ` Harald Welte
2005-07-11 7:47 ` Patrick McHardy
2005-07-11 9:50 ` Pablo Neira
2005-06-06 8:17 ` Jozsef Kadlecsik
2005-05-18 6:45 ` Jozsef Kadlecsik
2005-05-18 7:08 ` Amin Azez
2005-05-18 7:17 ` Jozsef Kadlecsik
2005-05-11 8:43 ` Amin Azez
2005-05-01 23:49 ` [RFC] [PATCH] ctnetlink updates Pablo Neira
2005-05-02 10:47 ` Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42A83B96.4050302@eurodev.net \
--to=pablo@eurodev.net \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.