From: Eric Leblond <eric@inl.fr>
To: Pablo Neira Ayuso <pablo@eurodev.net>
Cc: nufw-core-team@nufw.org, netfilter-devel@lists.netfilter.org
Subject: Re: [feature request] Fixed timeout for conntrack entry
Date: Tue, 24 Jan 2006 22:04:49 +0100 [thread overview]
Message-ID: <43D69671.9030908@inl.fr> (raw)
In-Reply-To: <43D57525.7080907@eurodev.net>
Pablo Neira Ayuso wrote:
> Hi Eric,
>
> Eric Leblond wrote:
>
>>When working on NuFW (http://www.nufw.org), we had to use libconntrack
>>to kill some entry at a given time. In fact, we use it to be able to
>
> That's very unlikely to happen. If a new connection is opened with the
> same IP information, the ID will be different than the old connection.
> So such problem is unlikely to happen. Unless the daemon is so slow that
> a wraparound happened to the global ID, eg. 2^32 connections were opened
> at the time that the daemon was restarting. That would be really slow :)
Yes ;-) but that's mean you need to know the conntrack ID. Thus
userspace programs needs to fetch the ID.
Let's assume this, in the scope of NuFW, this will cost some more
kernel<->userspace exchanges but it could be done because at we only
interfere with kernel when we accept the packet with nfnetlink_queue.
But I don't think this is the main point.
>>From a developpement point of view it seems that this is a "small"
>>modification of code. It could be done by adding a test when refreshing
>>standard connection entry timeout (when receiving a packet) and testing
>>if the connection must be destroy and destroy it if needed ?
>
>
> I think that we could add support for permanent conntracks, eg.
> conntracks that never expire. So the userspace program could have their
> own timers and kill it whenever it wants to. The problem is that the
> userspace program must behave correctly, otherwise we could get tons of
> zombie conntracks that never expire.
Personnally, I don't think that trust userspace for something like that
is not a good idea. A userspace daemon could be stopped, and this will
be the night of the living dead.
Furthermore, this does not introduce the capability to do this from
kernel space which could be really interesting. From an iptables point
of view we could have something like :
iptables -A FORWARD -m state --state NEW -m time --time 08h-18h \\
-m expiration -j ACCEPT --expire-at 18h
I mean, accept connection creation between 08h and 18h and destroy
connection from conntrack at 18h. This is a policy that we have been
asked quiet frequently.
Is there some theoritical limit in current Netfilter code to implement
such a thing ?
BR,
--
Eric Leblond
prev parent reply other threads:[~2006-01-24 21:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-01-23 9:24 [feature request] Fixed timeout for conntrack entry Eric Leblond
2006-01-24 0:30 ` Pablo Neira Ayuso
2006-01-24 17:11 ` Amin Azez
2006-01-24 21:04 ` Eric Leblond [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43D69671.9030908@inl.fr \
--to=eric@inl.fr \
--cc=netfilter-devel@lists.netfilter.org \
--cc=nufw-core-team@nufw.org \
--cc=pablo@eurodev.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.