From: Pablo Neira <pablo@eurodev.net>
To: Krzysztof Oledzki <olenf@ans.pl>
Cc: Deti Fliegl <deti@fliegl.de>, netfilter-devel@lists.netfilter.org
Subject: Re: problem with conntrack utility and kernel 2.6.14
Date: Tue, 01 Nov 2005 02:09:05 +0100 [thread overview]
Message-ID: <4366C031.6020504@eurodev.net> (raw)
In-Reply-To: <Pine.LNX.4.62.0510310911090.9468@bizon.gios.gov.pl>
Krzysztof Oledzki wrote:
> 1. "Illegal option `-m'" with "conntrack -E -i"
> # conntrack -E -i
> conntrack v0.94: Illegal option `-m' with this command
Wrong error output: this should say `-i'. Fixed.
You can't use -E together with -i. But I think that adding the conntrack
ID to the event information that is dumped could be worth for accounting
purposes, so I'll add this to my pending patches for ctnetlink, ok?
> 2. Unable to delete conntrack by id:
> root@olemx:~# conntrack -L -i|grep id=101
> tcp 6 431999 ESTABLISHED src=192.168.0.22 dst=192.168.0.33
> sport=1607 dport=22 packets=72520 bytes=4421477 src=192.168.0.33
> dst=192.168.0.22 sport=22 dport=1607 packets=101332 bytes=21675629
> [ASSURED] mark=0 use=1 id=101
> root@olemx:~# conntrack -D -i 101
> root@olemx:~# conntrack -L -i|grep id=101
You can't kill conntracks *just* by the ID. The connection tracking
table currently uses the tuple information (source, destination,
protocol information) to place the conntrack in hashes, same thing to
perform lookups. Implementing the ability of killing conntracks just by
its ID would be O(n), so we would need to walk through the buckets until
we find a matching, not so good. Just a wild thought, how bad would be
hashing the conntracks by its ID? In that case we could implement this
feature. So, currently you'll always need the information about the
source, destination and protocol specific stuff together with the ID.
> tcp 6 431999 ESTABLISHED src=192.168.0.22 dst=192.168.0.33
> sport=1607 dport=22 packets=72549 bytes=4423573 src=192.168.0.33
> dst=192.168.0.22 sport=22 dport=1607 packets=101352 bytes=21677725
> [ASSURED] mark=0 use=1 id=101
>
> 3. "deficit (4) len (0)." in conntrack -E expect:
>
> # conntrack -E expect
> 0 proto=17 src=192.168.31.255 dst=192.168.1.29 sport=138 dport=138
> nfnl_parse_attr: deficit (4) len (0).
>
> 0 proto=17 src=192.168.31.255 dst=192.168.1.227 sport=138 dport=138
> nfnl_parse_attr: deficit (4) len (0).
Fixed in SVN.
> 4. Wrong formating in conntrack -h (Get... & Update...)
>
> Commands:
> -L [table] [-z] List conntrack or expectation table
> -G [table] parameters Get conntrack or expectation
> -D [table] parameters Delete conntrack or expectation
> -I [table] parameters Create a conntrack or expectation
> -U [table] parameters Update a conntrack
> -E [table] [options] Show events
> -F [table] Flush table
>
> Patch attached & inlined (for easy review):
Applied. Thanks.
> 5. Missing information in help/man about possibility of using "-i".
Added -i to the manpage. Thanks for the bug report.
--
Pablo
next prev parent reply other threads:[~2005-11-01 1:09 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-28 9:08 problem with conntrack utility and kernel 2.6.14 Deti Fliegl
2005-10-28 9:26 ` Pablo Neira
2005-10-28 9:26 ` Deti Fliegl
2005-10-28 10:01 ` Pablo Neira
2005-10-28 11:48 ` Deti Fliegl
2005-10-28 19:22 ` Pablo Neira
2005-10-28 19:53 ` Deti Fliegl
2005-10-29 13:06 ` Pablo Neira
2005-10-29 15:34 ` Deti Fliegl
2005-10-29 18:35 ` Pablo Neira
2005-10-29 15:44 ` Deti Fliegl
2005-10-31 4:41 ` Pablo Neira
2005-10-31 8:28 ` Krzysztof Oledzki
2005-11-01 1:09 ` Pablo Neira [this message]
2005-11-01 10:29 ` Krzysztof Oledzki
2005-11-01 13:55 ` Pablo Neira
2005-11-01 15:17 ` Krzysztof Oledzki
2005-11-01 16:39 ` Pablo Neira
2005-11-01 18:49 ` Krzysztof Oledzki
2005-11-01 19:27 ` Pablo Neira
2005-11-01 19:39 ` Krzysztof Oledzki
2005-11-01 20:07 ` Pablo Neira
2005-11-01 20:21 ` Krzysztof Oledzki
2005-11-02 16:04 ` Pablo Neira
2005-10-31 11:10 ` Deti Fliegl
2005-12-04 2:14 ` Pablo Neira Ayuso
2005-12-04 16:09 ` Patrick McHardy
2005-12-04 16:53 ` Deti Fliegl
2005-12-04 17:10 ` Yasuyuki KOZAKAI
2005-12-04 18:44 ` Deti Fliegl
2005-12-04 19:56 ` Patrick McHardy
2005-12-05 5:51 ` Yasuyuki KOZAKAI
2005-12-15 12:49 ` problem with conntrack utility and kernel 2.6.14 - still with 2.6.14.4 Deti Fliegl
2005-12-15 13:05 ` Pablo Neira Ayuso
2005-12-15 17:21 ` Krzysztof Oledzki
[not found] ` <200512041004.37192.romary@nikoon.com>
2005-12-04 20:04 ` Major problem with conntrack utility and kernel 2.6.14.3 Patrick McHardy
2005-12-04 23:08 ` Deti Fliegl
2005-12-05 10:24 ` Krzysztof Oledzki
2005-12-05 15:17 ` Patrick McHardy
2005-10-28 13:39 ` problem with conntrack utility and kernel 2.6.14 Deti Fliegl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4366C031.6020504@eurodev.net \
--to=pablo@eurodev.net \
--cc=deti@fliegl.de \
--cc=netfilter-devel@lists.netfilter.org \
--cc=olenf@ans.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.