From: Amin Azez <azez@ufomechanic.net>
To: Harald Welte <laforge@netfilter.org>
Cc: Netfilter Development Mailinglist
<netfilter-devel@lists.netfilter.org>,
Pablo Neira <pablo@eurodev.net>
Subject: Re: ctnetlink attributes [was: Re: [PATCH 1/2] updates for [nf|ct]netlink and event API]
Date: Tue, 12 Jul 2005 09:18:37 +0100 [thread overview]
Message-ID: <42D37CDD.5020007@ufomechanic.net> (raw)
In-Reply-To: <20050711171023.GG16728@sunbeam.de.gnumonks.org>
Harald Welte wrote:
>On Mon, Jul 11, 2005 at 05:30:56PM +0100, Amin Azez wrote:
>
>
>>I'm interested in adding MAC addr attributes and CTA_TUPLE_MAC; not just
>>because of my fixation with MAC addresses but also to use conntrack to
>>record flow data for non IP-related protocols.
>>
>>
>
>ctnetlink MAC attributes are IMHO nonsense because there is no mac
>address tracking in conntrack.
>
>
Indeed; I was proposing that it be so, I'm currently maintaining
conntrack patches where mac addresses are part of the conntrack.
>>I realise it is not the current intent of conntrack to do this, but as
>>much as conntrack solves the high-load problems of ulog, it is desirable
>>for it to keep counters for non-ip protocols.
>>
>>
>
>Also, MAC address tracking doesn't really make sense since as an
>intermediate router there is no way that the assumption "source and
>destination mac never change" is ever valid.
>
>
This is also true, there are few circumstances that the mac address
could change within the life of a connection and maintain the
connection, and it is uncertain in the scenario I proposed how this
should be handled.
>>As fast as protocol handlers can be devised it will become "conntrack"
>>again instead of "flowtrack", but the universal identifier between hosts
>>involved in a connection is the mac address and protocol.
>>
>>
>
>no. you always only see the next hop mac address. let's say you have
>an upsteram and a downstream router, then all your 'connections' would
>be between the same two mac addresses.
>
>
The use would be limited to switched or transparently bridged networks
which is where most non-ip trafffic will be kept. I don't think this
particularly limits the use; many protocols do not employ a global
address space anyway.
SPX protocol uses the MAC address in conjunction with a network number
for node addressing.
>>The question is, how do others feel about conntrack tracking non-ip
>>connections? I intend to provide patches to do this if it is welcome.
>>
>>
>
>nf_conntrack goes the way to layer-3-independent connection tracking.
>However, conntrack will remain to happen at layer3 and 4 (with minor
>exceptions to higher layers in the case of conntrack helpers).
>
>
So you are not against tracking non-IP traffic as such?
I agree that it is ideal to break open the layer 3 addressing for use in
the conntrack tuple, I was suggesting using mac address and protocol as
a fallback when this was not available.
Amin
next prev parent reply other threads:[~2005-07-12 8:18 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-27 18:02 [PATCH 1/2] updates for [nf|ct]netlink and event API Pablo Neira
2005-06-27 20:26 ` Harald Welte
2005-06-28 2:00 ` Pablo Neira
2005-06-28 2:12 ` Pablo Neira
2005-06-28 2:15 ` Pablo Neira
2005-06-28 3:53 ` Patrick McHardy
2005-06-28 7:07 ` Harald Welte
2005-07-04 12:59 ` Amin Azez
2005-06-28 7:06 ` Harald Welte
2005-06-27 21:31 ` Patrick McHardy
2005-06-28 2:15 ` Pablo Neira
2005-06-28 3:56 ` Patrick McHardy
2005-06-27 22:40 ` Patrick McHardy
2005-06-28 2:16 ` Pablo Neira
2005-06-28 4:03 ` Patrick McHardy
2005-06-28 7:13 ` Harald Welte
2005-06-28 16:02 ` Patrick McHardy
2005-06-29 19:13 ` Pablo Neira
2005-06-29 19:52 ` Patrick McHardy
2005-06-29 20:16 ` Harald Welte
2005-06-30 0:27 ` Pablo Neira
2005-06-30 0:53 ` Patrick McHardy
2005-06-30 9:47 ` Pablo Neira
2005-06-30 21:30 ` Patrick McHardy
2005-06-30 0:34 ` Pablo Neira
2005-06-30 1:00 ` Patrick McHardy
2005-06-30 1:49 ` Thomas Graf
2005-06-30 1:53 ` Patrick McHardy
2005-06-30 12:03 ` Thomas Graf
2005-06-30 13:27 ` Patrick McHardy
2005-06-30 18:02 ` Thomas Graf
2005-06-30 21:26 ` Patrick McHardy
2005-06-30 21:34 ` Thomas Graf
2005-06-30 21:49 ` David S. Miller
2005-06-30 22:08 ` Thomas Graf
2005-06-30 22:08 ` David S. Miller
2005-06-30 17:06 ` ctnetlink attributes [was: Re: [PATCH 1/2] updates for [nf|ct]netlink and event API] Pablo Neira
2005-07-11 16:30 ` Amin Azez
2005-07-11 16:50 ` Jan Engelhardt
2005-07-11 17:11 ` Harald Welte
2005-07-11 17:40 ` Jan Engelhardt
2005-07-12 7:54 ` Harald Welte
2005-07-11 17:10 ` Harald Welte
2005-07-11 17:45 ` Jan Engelhardt
2005-07-12 7:55 ` Harald Welte
2005-07-12 8:18 ` Amin Azez [this message]
2005-06-28 23:44 ` [PATCH 1/2] updates for [nf|ct]netlink and event API Josh Samuelson
2005-06-29 19:14 ` Pablo Neira
2005-07-11 11:34 ` NETLINK_NETFILTER and NETLINK_FIB_LOOKUP Amin Azez
2005-07-11 16:32 ` [PATCH 1/2] updates for [nf|ct]netlink and event API Amin Azez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42D37CDD.5020007@ufomechanic.net \
--to=azez@ufomechanic.net \
--cc=laforge@netfilter.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=pablo@eurodev.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.