Re: [PATCH 1/2] updates for [nf|ct]netlink and event API

[Amin Azez <azez@ufomechanic.net>]

Pablo, I realise that there was a lot of dicussion on various parts of
your rework of conntrack.

Is the SVN patch at
http://people.netfilter.org/~pablo/ctnetlink-2.6.12/SVN-patches/ctnetlink-ctevent-nfnetlink-update-2.6.12.patch
still preferred, or has all that you intend been committed to SVN already?

Thanks

Amin

Pablo Neira wrote:
> Hi Harald,
> 
> This patchset introduces tons of updates for the nfnetlink, ctnetlink
> and the conntrack event API. I haven't attached the file since it's that
> big, about 100K.
> 
> You can get an incremental diff against SVN from:
> http://people.netfilter.org/~pablo/ctnetlink-2.6.12/SVN-patches/ctnetlink-ctevent-nfnetlink-update-2.6.12.patch
> 
> 
> Please apply.
> 
> 
> I've split this big patch above into four pieces to make it easier to
> understand the changes:
> http://people.netfilter.org/~pablo/ctnetlink-2.6.12/2.6.11-vs-2.6.12/
> 
> So these four patches shouldn't be applied, just they are meant to make
> your life easier to track the changes.
> 
> Summary of changes
> ------------------
> 
> o conntrack event API
> - Don't kill NFC_IP_* stuff, keep it there to ensure for old iptables
> versions compilation.
> - new file ip_conntrack_events.h that contains all event related
> functions to reduce pollution in ip_conntrack.h
> - IPCT_DELIVERED bit. Loopback reports event are reported twice, this
> bit is set once event are delivered. I just came up with a better idea,
> reset nfcache once the events have been delivered, but I'll apply this
> change in the next patchset.
> 
> o nfnetlink
> - kill unused list.
> - kill nfnl_exlock(), not needed anymore.
> - kill duplicated check: NFNL_SUBSYS_ID(type) > NFNL_SUBSYS_COUNT.
> - kill unneeded initialization of subsys_table to NULL, since it's in
> BSS section (already set to zero).
> - kill dead define CONFIG_NF_NETLINK.
> 
> o ctnetlink
> - merge ctnetlink_get_mcgroups and ctnetlink_get_exp_mcgroups
> - implemented NAT handlings
> - kill unused ctnetlink_kill
> - use __u64 id's for conntracks
> - stop using NLMSG_DONE to report the end of a dump, use explicite ACK
> instead (NLM_F_ACK).
> - fixed broken expectation timeout dumping.
> - kill unused ctnetlink_exp_dump_proto
> - kill ctnetlink_exp_dump: fairly small and just used once
> - kill NFNL_SUBSYS_CTNETLINK_EXP, use NFNL_SUBSYS_CTNETLINK instead
> - Fix expectation table dumping
> - Fix expectation creation
> - implemented flushing of the expect table
> 
> TODO
> ----
> 
> - Implement ip_conntrack_stats dumping and reset (accounting)
> - Implement get conntrack and destroy (accounting)
> - Kill event/dump mask based (?). Although it's unique, I think that it
> could be useful for weak conntrack event notification (think of just
> new, established and destroy event notification to reduce performance
> impact).
> 
> Once ip_conntrack_netlink gets fully featured and people don't report
> bugs for quite some time. I'll create a nf_conntrack_netlink tree.
> 
> -- 
> Pablo
> 
>