From: Pablo Neira <pablo@eurodev.net>
To: Krzysztof Oledzki <olenf@ans.pl>
Cc: Deti Fliegl <deti@fliegl.de>, netfilter-devel@lists.netfilter.org
Subject: Re: problem with conntrack utility and kernel 2.6.14
Date: Tue, 01 Nov 2005 17:39:23 +0100 [thread overview]
Message-ID: <43679A3B.6070009@eurodev.net> (raw)
In-Reply-To: <Pine.LNX.4.63.0511011605010.12220@bizon.gios.gov.pl>
Krzysztof Oledzki wrote:
> On Tue, 1 Nov 2005, Pablo Neira wrote:
>
>> Krzysztof Oledzki wrote:
>>
>>>> You can't kill conntracks *just* by the ID. The connection tracking
>>>> table currently uses the tuple information (source, destination,
>>>> protocol information) to place the conntrack in hashes, same thing
>>>> to perform lookups.
>>>
>>> So, why do we need this conntrack ID? Only for userspace applications?
>>
>> Because of two reasons:
>>
>> a) We have to provide a way to uniquely identify a conntrack. On slow
>> devices, it could happen that a connection with the same src/dst/proto
>> could be re-created in a very short period of time. So the user can be
>> sure that he's killing that conntrack, and not a similar that
>> represents a re-opened connection.
>
> So one can pass this id as an additional information? OK. :)
That is :)
> BTW: I think conntrack-tool should inform that conntrack killing fails
> because kernel isn't able to find a matching conntrack.
That is what it currently does, are you observing a different behaviour?
# conntrack -D --orig-src 1.1.1.1 --orig-dst 2.2.2.2 -p tcp
--orig-port-src 2005 --orig-port-dst 21
NFNETLINK answers: No such file or directory
Operation failed: such conntrack doesn't exist
>> b) Netlink dumping is not atomic, for that reason we need a way to
>> know from which point we stopped dumping the connection tracking
>> table. Keeping a pointer to the lastest conntrack processed won't work
>> because of the timers. It could happen that a conntrack expires at the
>> time that the process of dumping continues. So the idea is using the
>> ID to establish such breakpoint, and continue from the lastest
>> conntrack ID processed if it's still present, otherwise we'll process
>> the next conntrack ID higher than the lastest processed.
>
> But to do this you need to travel the structure from the beginning and
> so dumping may require operations like O(n) anyway?
No, we store the last bucket processed in a temporary control buffer, so
we can continue from this bucket and then look for the last conntrack
processed in the list associated to this bucket.
--
Pablo
next prev parent reply other threads:[~2005-11-01 16:39 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-28 9:08 problem with conntrack utility and kernel 2.6.14 Deti Fliegl
2005-10-28 9:26 ` Pablo Neira
2005-10-28 9:26 ` Deti Fliegl
2005-10-28 10:01 ` Pablo Neira
2005-10-28 11:48 ` Deti Fliegl
2005-10-28 19:22 ` Pablo Neira
2005-10-28 19:53 ` Deti Fliegl
2005-10-29 13:06 ` Pablo Neira
2005-10-29 15:34 ` Deti Fliegl
2005-10-29 18:35 ` Pablo Neira
2005-10-29 15:44 ` Deti Fliegl
2005-10-31 4:41 ` Pablo Neira
2005-10-31 8:28 ` Krzysztof Oledzki
2005-11-01 1:09 ` Pablo Neira
2005-11-01 10:29 ` Krzysztof Oledzki
2005-11-01 13:55 ` Pablo Neira
2005-11-01 15:17 ` Krzysztof Oledzki
2005-11-01 16:39 ` Pablo Neira [this message]
2005-11-01 18:49 ` Krzysztof Oledzki
2005-11-01 19:27 ` Pablo Neira
2005-11-01 19:39 ` Krzysztof Oledzki
2005-11-01 20:07 ` Pablo Neira
2005-11-01 20:21 ` Krzysztof Oledzki
2005-11-02 16:04 ` Pablo Neira
2005-10-31 11:10 ` Deti Fliegl
2005-12-04 2:14 ` Pablo Neira Ayuso
2005-12-04 16:09 ` Patrick McHardy
2005-12-04 16:53 ` Deti Fliegl
2005-12-04 17:10 ` Yasuyuki KOZAKAI
2005-12-04 18:44 ` Deti Fliegl
2005-12-04 19:56 ` Patrick McHardy
2005-12-05 5:51 ` Yasuyuki KOZAKAI
2005-12-15 12:49 ` problem with conntrack utility and kernel 2.6.14 - still with 2.6.14.4 Deti Fliegl
2005-12-15 13:05 ` Pablo Neira Ayuso
2005-12-15 17:21 ` Krzysztof Oledzki
[not found] ` <200512041004.37192.romary@nikoon.com>
2005-12-04 20:04 ` Major problem with conntrack utility and kernel 2.6.14.3 Patrick McHardy
2005-12-04 23:08 ` Deti Fliegl
2005-12-05 10:24 ` Krzysztof Oledzki
2005-12-05 15:17 ` Patrick McHardy
2005-10-28 13:39 ` problem with conntrack utility and kernel 2.6.14 Deti Fliegl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43679A3B.6070009@eurodev.net \
--to=pablo@eurodev.net \
--cc=deti@fliegl.de \
--cc=netfilter-devel@lists.netfilter.org \
--cc=olenf@ans.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.