[PATCH 0/3] [RFC] fixed duration connection

[PATCH 0/3] [RFC] fixed duration connection

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 1807 bytes --]

Hi,

While working on NuFW development branch, we have had to
implement policy just as :
      * connection to server is authorised from 08h to 18h and
        connection must be switched off at 18h.

Such features are frequently asked by customers or netfilter addicts but
even with current conntrack related code, it can not be done cleanly.

Thus, we've added the notion of fixed duration before expiration to
connection in the conntrack. (See extended information on bottom for
details)

The following set of patches is against kernel (linus git tree),
libnetfilter_conntrack, and conntrack tool.

-- Extended --

When trying to implement this feature with current connection tracking
code, we have faced some issues :
     1. userspace code has to duplicate conntrack entries, thus it's
        complex and uses memory
     2. there is no hope to have it done by a simple command line
        (because of 1.)
     3. if replication of conntrack in userspace is needed there will be
        many synchronisation problems : stop and start of an
        hypothetical "expiration" daemon would cause conntrack
        duplication and/or loss of information ...

For this reason, we've worked on a simple kernel level implementation.
This is done via a second "struct timer" that is added in connection
structure. Activation of the timer, is for now done via userspace by
using libnetfilter_conntrack or by using new option -T of the conntrack
tool.

This kernel implementation could easily lead to a new iptables target in
the future.

This is a resend of patch :
http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=3289
It adds support for nf_conntrack.

Best regards,
--
Eric Leblond <regit@inl.fr> for the NuFW Core Team
NuFW : http://www.nufw.org/

[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[PATCH 1/3] fixed duration connection

[Eric Leblond]

[-- Attachment #1.1: Type: text/plain, Size: 190 bytes --]

This is patch against Linus's git tree. It adds support for fixed
duration connection in ip_conntrack and nf_conntrack.

BR,
-- 
Eric Leblond <eric@inl.fr>
NuFW: http://www.nufw.org/

[-- Attachment #1.2: fixed_timeout.patch --]
[-- Type: text/x-patch, Size: 12151 bytes --]

diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h
index 668ec94..0a300df 100644
--- a/include/linux/netfilter/nfnetlink_conntrack.h
+++ b/include/linux/netfilter/nfnetlink_conntrack.h
@@ -29,6 +29,9 @@ enum ctattr_type {
 	CTA_HELP,
 	CTA_NAT,
 	CTA_TIMEOUT,
+#if defined(CONFIG_IP_NF_CT_FIXED_TIMEOUT) || defined(CONFIG_NF_CT_FIXED_TIMEOUT)
+	CTA_FIXED_TIMEOUT,
+#endif
 	CTA_MARK,
 	CTA_COUNTERS_ORIG,
 	CTA_COUNTERS_REPLY,
diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h
index d54d7b2..6093ed5 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack.h
@@ -85,6 +85,11 @@ struct ip_conntrack
 	/* Timer function; drops refcnt when it goes off. */
 	struct timer_list timeout;
 
+#ifdef CONFIG_IP_NF_CT_FIXED_TIMEOUT
+    /* Is timeout fixed ? */
+    struct timer_list fixed_timeout;
+#endif
+        
 #ifdef CONFIG_IP_NF_CT_ACCT
 	/* Accounting Information (same cache line as other written members) */
 	struct ip_conntrack_counter counters[IP_CT_DIR_MAX];
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 916013c..7c0b46d 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -99,6 +99,12 @@ struct nf_conn
 	/* Timer function; drops refcnt when it goes off. */
 	struct timer_list timeout;
 
+#ifdef CONFIG_NF_CT_FIXED_TIMEOUT
+    /* Is timeout fixed ? */
+    struct timer_list fixed_timeout;
+#endif
+     
+
 #ifdef CONFIG_NF_CT_ACCT
 	/* Accounting Information (same cache line as other written members) */
 	struct ip_conntrack_counter counters[IP_CT_DIR_MAX];
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 882b842..6cae515 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -46,6 +46,18 @@ config IP_NF_CT_ACCT
 
 	  If unsure, say `N'.
 
+config IP_NF_CT_FIXED_TIMEOUT
+	bool "Connection tracking fixed timeout (EXPERIMENTAL)"
+	depends on EXPERIMENTAL && IP_NF_CONNTRACK
+	help
+	  If this option is enabled, the connection tracking code will
+	  be able to have connection that will expire automatically after
+          a given time.
+          
+	  This feature can be used with libnetfilter_conntrack library.
+
+	  If unsure, say `N'.
+
 config IP_NF_CONNTRACK_MARK
 	bool  'Connection mark tracking support'
 	depends on IP_NF_CONNTRACK
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index ceaabc1..17ebe9b 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -319,6 +319,11 @@ destroy_conntrack(struct nf_conntrack *n
 	IP_NF_ASSERT(atomic_read(&nfct->use) == 0);
 	IP_NF_ASSERT(!timer_pending(&ct->timeout));
 
+#ifdef CONFIG_IP_NF_CT_FIXED_TIMEOUT
+    if (timer_pending(&ct->fixed_timeout)) {
+        del_timer(&ct->fixed_timeout);
+    }
+#endif
 	ip_conntrack_event(IPCT_DESTROY, ct);
 	set_bit(IPS_DYING_BIT, &ct->status);
 
@@ -359,6 +364,15 @@ static void death_by_timeout(unsigned lo
 {
 	struct ip_conntrack *ct = (void *)ul_conntrack;
 
+#ifdef CONFIG_IP_NF_CT_FIXED_TIMEOUT
+    /* delete the timer which has not timeout */
+    if (timer_pending(&ct->timeout)) {
+        del_timer(&ct->timeout);
+    }
+    if (timer_pending(&ct->fixed_timeout)) {
+        del_timer(&ct->fixed_timeout);
+    }
+#endif
 	write_lock_bh(&ip_conntrack_lock);
 	/* Inside lock so preempt is disabled on module removal path.
 	 * Otherwise we can get spurious warnings. */
@@ -670,6 +684,12 @@ struct ip_conntrack *ip_conntrack_alloc(
 	conntrack->timeout.data = (unsigned long)conntrack;
 	conntrack->timeout.function = death_by_timeout;
 
+#ifdef CONFIG_IP_NF_CT_FIXED_TIMEOUT
+	init_timer(&conntrack->fixed_timeout);
+	conntrack->fixed_timeout.data = (unsigned long)conntrack;
+	conntrack->fixed_timeout.function = death_by_timeout;
+#endif
+
 	atomic_inc(&ip_conntrack_count);
 
 	return conntrack;
@@ -724,6 +744,7 @@ init_conntrack(struct ip_conntrack_tuple
 		/* this is ugly, but there is no other place where to put it */
 		conntrack->nat.masq_index = exp->master->nat.masq_index;
 #endif
+
 		nf_conntrack_get(&conntrack->master->ct_general);
 		CONNTRACK_STAT_INC(expect_new);
 	} else {
@@ -1135,12 +1156,12 @@ void __ip_ct_refresh_acct(struct ip_conn
 		ct->timeout.expires = extra_jiffies;
 		event = IPCT_REFRESH;
 	} else {
-		/* Need del_timer for race avoidance (may already be dying). */
-		if (del_timer(&ct->timeout)) {
-			ct->timeout.expires = jiffies + extra_jiffies;
-			add_timer(&ct->timeout);
-			event = IPCT_REFRESH;
-		}
+               /* Need del_timer for race avoidance (may already be dying). */
+               if (del_timer(&ct->timeout)) {
+                       ct->timeout.expires = jiffies + extra_jiffies;
+                       add_timer(&ct->timeout);
+                       event = IPCT_REFRESH;
+               }   
 	}
 
 #ifdef CONFIG_IP_NF_CT_ACCT
diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c
index 9b6e19b..30a32f0 100644
--- a/net/ipv4/netfilter/ip_conntrack_netlink.c
+++ b/net/ipv4/netfilter/ip_conntrack_netlink.c
@@ -42,7 +42,7 @@
 
 MODULE_LICENSE("GPL");
 
-static char __initdata version[] = "0.90";
+static char __initdata version[] = "0.91";
 
 #if 0
 #define DEBUGP printk
@@ -953,6 +953,26 @@ ctnetlink_change_timeout(struct ip_connt
 	return 0;
 }
 
+
+#ifdef CONFIG_IP_NF_CT_FIXED_TIMEOUT
+static inline int
+ctnetlink_change_fixed_timeout(struct ip_conntrack *ct, struct nfattr *cda[])
+{
+	u_int32_t timeout = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_FIXED_TIMEOUT-1]));
+	
+        /* test if timer has already been set */
+        if (timer_pending(&ct->fixed_timeout)){
+	        if (!del_timer(&ct->fixed_timeout))
+		        return -ETIME;
+        }
+
+	ct->fixed_timeout.expires = jiffies + timeout * HZ;
+	add_timer(&ct->fixed_timeout);
+
+	return 0;
+}
+#endif /* CONFIG_IP_NF_CT_FIXED_TIMEOUT */
+
 static inline int
 ctnetlink_change_protoinfo(struct ip_conntrack *ct, struct nfattr *cda[])
 {
@@ -991,6 +1011,14 @@ ctnetlink_change_conntrack(struct ip_con
 			return err;
 	}
 
+#ifdef CONFIG_IP_NF_CT_FIXED_TIMEOUT
+	if (cda[CTA_FIXED_TIMEOUT-1]) {
+		err = ctnetlink_change_fixed_timeout(ct, cda);
+		if (err < 0)
+			return err;
+        }
+#endif
+
 	if (cda[CTA_STATUS-1]) {
 		err = ctnetlink_change_status(ct, cda);
 		if (err < 0)
@@ -1030,7 +1058,15 @@ ctnetlink_create_conntrack(struct nfattr
 		goto err;
 	ct->timeout.expires = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_TIMEOUT-1]));
 
+        /* we admit jiffies delay on timeout even if is fixed */
 	ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
+
+#ifdef CONFIG_IP_NF_CT_FIXED_TIMEOUT
+	if (cda[CTA_FIXED_TIMEOUT-1]) {
+                ct->fixed_timeout.expires = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_FIXED_TIMEOUT-1]));
+    }
+#endif
+        
 	ct->status |= IPS_CONFIRMED;
 
 	err = ctnetlink_change_status(ct, cda);
@@ -1051,6 +1087,13 @@ ctnetlink_create_conntrack(struct nfattr
 	ct->helper = ip_conntrack_helper_find_get(rtuple);
 
 	add_timer(&ct->timeout);
+
+#ifdef CONFIG_IP_NF_CT_FIXED_TIMEOUT
+	if (cda[CTA_FIXED_TIMEOUT-1]) {
+	        add_timer(&ct->fixed_timeout);
+    }
+#endif
+
 	ip_conntrack_hash_insert(ct);
 
 	if (ct->helper)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 332acb3..e44158f 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -60,6 +60,18 @@ config NF_CONNTRACK_MARK
 	  of packets, but this mark value is kept in the conntrack session
 	  instead of the individual packets.
 
+config CONFIG_NF_CT_FIXED_TIMEOUT
+	bool  "Connection with fixed expiration delay (EXPERIMENTAL)"
+	depends on EXPERIMENTAL && NF_CONNTRACK
+	help
+	  If this option is enabled, the connection tracking code will
+	  be able to have connection that will expire automatically after
+          a given time.
+          
+	  This feature can be used with libnetfilter_conntrack library.
+
+	  If unsure, say `N'.
+
 config NF_CONNTRACK_EVENTS
 	bool "Connection tracking events (EXPERIMENTAL)"
 	depends on EXPERIMENTAL && NF_CONNTRACK
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 56389c8..7b0f2e8 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -572,6 +572,12 @@ destroy_conntrack(struct nf_conntrack *n
 	NF_CT_ASSERT(atomic_read(&nfct->use) == 0);
 	NF_CT_ASSERT(!timer_pending(&ct->timeout));
 
+#ifdef CONFIG_NF_CT_FIXED_TIMEOUT
+    if (timer_pending(&ct->fixed_timeout)) {
+        del_timer(&ct->fixed_timeout);
+    }
+#endif
+
 	nf_conntrack_event(IPCT_DESTROY, ct);
 	set_bit(IPS_DYING_BIT, &ct->status);
 
@@ -616,6 +622,16 @@ static void death_by_timeout(unsigned lo
 {
 	struct nf_conn *ct = (void *)ul_conntrack;
 
+#ifdef CONFIG_NF_CT_FIXED_TIMEOUT
+    /* delete the timer which has not timeout */
+    if (timer_pending(&ct->timeout)) {
+        del_timer(&ct->timeout);
+    }
+    if (timer_pending(&ct->fixed_timeout)) {
+        del_timer(&ct->fixed_timeout);
+    }
+#endif
+
 	write_lock_bh(&nf_conntrack_lock);
 	/* Inside lock so preempt is disabled on module removal path.
 	 * Otherwise we can get spurious warnings. */
@@ -930,6 +946,13 @@ __nf_conntrack_alloc(const struct nf_con
 	conntrack->timeout.data = (unsigned long)conntrack;
 	conntrack->timeout.function = death_by_timeout;
 
+#ifdef CONFIG_NF_CT_FIXED_TIMEOUT
+	init_timer(&conntrack->fixed_timeout);
+	conntrack->fixed_timeout.data = (unsigned long)conntrack;
+	conntrack->fixed_timeout.function = death_by_timeout;
+#endif
+
+
 	atomic_inc(&nf_conntrack_count);
 out:
 	read_unlock_bh(&nf_ct_cache_lock);
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 0e0e9d7..811560b 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -971,6 +971,26 @@ ctnetlink_change_timeout(struct nf_conn 
 	return 0;
 }
 
+#ifdef CONFIG_NF_CT_FIXED_TIMEOUT
+static inline int
+ctnetlink_change_fixed_timeout(struct ip_conntrack *ct, struct nfattr *cda[])
+{
+	u_int32_t timeout = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_FIXED_TIMEOUT-1]));
+	
+        /* test if timer has already been set */
+        if (timer_pending(&ct->fixed_timeout)){
+	        if (!del_timer(&ct->fixed_timeout))
+		        return -ETIME;
+        }
+
+	ct->fixed_timeout.expires = jiffies + timeout * HZ;
+	add_timer(&ct->fixed_timeout);
+
+	return 0;
+}
+#endif /* CONFIG_NF_CT_FIXED_TIMEOUT */ 
+
+
 static inline int
 ctnetlink_change_protoinfo(struct nf_conn *ct, struct nfattr *cda[])
 {
@@ -1010,6 +1030,15 @@ ctnetlink_change_conntrack(struct nf_con
 			return err;
 	}
 
+
+#ifdef CONFIG_NF_CT_FIXED_TIMEOUT
+	if (cda[CTA_FIXED_TIMEOUT-1]) {
+		err = ctnetlink_change_fixed_timeout(ct, cda);
+		if (err < 0)
+			return err;
+        }
+#endif
+
 	if (cda[CTA_STATUS-1]) {
 		err = ctnetlink_change_status(ct, cda);
 		if (err < 0)
@@ -1049,6 +1078,12 @@ ctnetlink_create_conntrack(struct nfattr
 		goto err;
 	ct->timeout.expires = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_TIMEOUT-1]));
 
+#ifdef CONFIG_NF_CT_FIXED_TIMEOUT
+	if (cda[CTA_FIXED_TIMEOUT-1]) {
+                ct->fixed_timeout.expires = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_FIXED_TIMEOUT-1]));
+    }
+#endif
+ 
 	ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
 	ct->status |= IPS_CONFIRMED;
 
@@ -1068,6 +1103,13 @@ ctnetlink_create_conntrack(struct nfattr
 #endif
 
 	add_timer(&ct->timeout);
+
+#ifdef CONFIG_NF_CT_FIXED_TIMEOUT
+	if (cda[CTA_FIXED_TIMEOUT-1]) {
+	        add_timer(&ct->fixed_timeout);
+    }
+#endif
+
 	nf_conntrack_hash_insert(ct);
 
 	DEBUGP("conntrack with id %u inserted\n", ct->id);

[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[PATCH 2/3] fixed duration connection

[Eric Leblond]

[-- Attachment #1.1: Type: text/plain, Size: 192 bytes --]

Hi,

This patch adds support for fixed duration connection in
libnetfilter_conntrack.

Best regards,
--
Eric Leblond <regit@inl.fr> for the NuFW Core Team
NuFW : http://www.nufw.org/

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: libnetfilter_conntrack_fixed_timeout.patch --]
[-- Type: text/x-patch; name=libnetfilter_conntrack_fixed_timeout.patch; charset=us-ascii, Size: 4242 bytes --]

Index: include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
===================================================================
--- include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h	(révision 6575)
+++ include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h	(copie de travail)
@@ -29,6 +29,7 @@
 	CTA_HELP,
 	CTA_NAT,
 	CTA_TIMEOUT,
+	CTA_FIXED_TIMEOUT,
 	CTA_MARK,
 	CTA_COUNTERS_ORIG,
 	CTA_COUNTERS_REPLY,
Index: include/libnetfilter_conntrack/libnetfilter_conntrack.h
===================================================================
--- include/libnetfilter_conntrack/libnetfilter_conntrack.h	(révision 6575)
+++ include/libnetfilter_conntrack/libnetfilter_conntrack.h	(copie de travail)
@@ -89,6 +89,7 @@
 	struct nfct_tuple tuple[NFCT_DIR_MAX];
 	
 	u_int32_t 	timeout;
+	u_int32_t 	fixed_timeout;
 	u_int32_t	mark;
 	u_int32_t 	status;
 	u_int32_t	use;
@@ -125,19 +126,22 @@
 	NFCT_TIMEOUT_BIT = 2,
 	NFCT_TIMEOUT = (1 << NFCT_TIMEOUT_BIT),
 
-	NFCT_MARK_BIT = 3,
+        NFCT_FIXED_TIMEOUT_BIT = 3,
+	NFCT_FIXED_TIMEOUT = (1 << NFCT_FIXED_TIMEOUT_BIT),
+
+	NFCT_MARK_BIT = 4,
 	NFCT_MARK = (1 << NFCT_MARK_BIT),
 
-	NFCT_COUNTERS_ORIG_BIT = 4,
+	NFCT_COUNTERS_ORIG_BIT = 5,
 	NFCT_COUNTERS_ORIG = (1 << NFCT_COUNTERS_ORIG_BIT),
 
-	NFCT_COUNTERS_RPLY_BIT = 5,
+	NFCT_COUNTERS_RPLY_BIT = 6,
 	NFCT_COUNTERS_RPLY = (1 << NFCT_COUNTERS_RPLY_BIT),
 
-	NFCT_USE_BIT = 6,
+	NFCT_USE_BIT = 7,
 	NFCT_USE = (1 << NFCT_USE_BIT),
 
-	NFCT_ID_BIT = 7,
+	NFCT_ID_BIT = 8,
 	NFCT_ID = (1 << NFCT_ID_BIT)
 };
 
Index: src/libnetfilter_conntrack.c
===================================================================
--- src/libnetfilter_conntrack.c	(révision 6575)
+++ src/libnetfilter_conntrack.c	(copie de travail)
@@ -548,6 +548,11 @@
 		flags |= NFCT_TIMEOUT;
 	}
 	
+        if (cda[CTA_FIXED_TIMEOUT-1]) {
+		ct.fixed_timeout = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_FIXED_TIMEOUT-1]));
+		flags |= NFCT_FIXED_TIMEOUT;
+	}
+
 	if (cda[CTA_MARK-1]) {
 		ct.mark = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_MARK-1]));
 		flags |= NFCT_MARK;
@@ -596,6 +601,13 @@
 	return sprintf(buf, "%u ", ct->timeout);
 }
 
+int nfct_sprintf_fixed_timeout(char *buf, struct nfct_conntrack *ct)
+{
+	return sprintf(buf, "%u ", ct->fixed_timeout);
+}
+
+
+
 int nfct_sprintf_protoinfo(char *buf, struct nfct_conntrack *ct)
 {
 	int size = 0;
@@ -664,7 +676,10 @@
 	if (flags & NFCT_TIMEOUT)
 		size += nfct_sprintf_timeout(buf+size, ct);
 
-        if (flags & NFCT_PROTOINFO)
+	if (flags & NFCT_FIXED_TIMEOUT)
+		size += nfct_sprintf_fixed_timeout(buf+size, ct);
+
+    if (flags & NFCT_PROTOINFO)
 		size += nfct_sprintf_protoinfo(buf+size, ct);
 
 	size += nfct_sprintf_address(buf+size, &ct->tuple[NFCT_DIR_ORIGINAL]);
@@ -954,6 +969,7 @@
 	char buf[NFCT_BUFSIZE];
 	u_int32_t status = htonl(ct->status | IPS_CONFIRMED);
 	u_int32_t timeout = htonl(ct->timeout);
+	u_int32_t fixed_timeout = htonl(ct->fixed_timeout);
 	u_int32_t mark = htonl(ct->mark);
 	u_int8_t l3num = ct->tuple[NFCT_DIR_ORIGINAL].l3protonum;
 
@@ -975,6 +991,10 @@
 
 	nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_TIMEOUT, &timeout, 
 		       sizeof(u_int32_t));
+
+        if (fixed_timeout)
+	        nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_FIXED_TIMEOUT, &fixed_timeout, 
+		               sizeof(u_int32_t));
 	
 	if (ct->mark != 0)
 		nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_MARK, &mark,
@@ -993,6 +1013,7 @@
 	char buf[NFCT_BUFSIZE];
 	u_int32_t status = htonl(ct->status | IPS_CONFIRMED);
 	u_int32_t timeout = htonl(ct->timeout);
+	u_int32_t fixed_timeout = htonl(ct->fixed_timeout);
 	u_int32_t id = htonl(ct->id);
 	u_int32_t mark = htonl(ct->mark);
 	u_int8_t l3num = ct->tuple[NFCT_DIR_ORIGINAL].l3protonum;
@@ -1015,7 +1036,12 @@
 	if (ct->timeout != 0)
 		nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_TIMEOUT, &timeout, 
 			       sizeof(u_int32_t));
+
+        if (ct->fixed_timeout != 0)
+		nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_FIXED_TIMEOUT, &fixed_timeout, 
+			       sizeof(u_int32_t));
 	
+	
 	if (ct->mark != 0)
 		nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_MARK, &mark,
 			       sizeof(u_int32_t));

[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[PATCH 3/3] [RFC] fixed duration connection

[Eric Leblond]

[-- Attachment #1.1: Type: text/plain, Size: 314 bytes --]

Hi,

This adds support for fixed duration connection to the conntrack tool.

Example : 
	conntrack -U -T 30 ENTRY_SELECTOR
This set fixed timeout to 30 sec. After this delay, the connection is
destroyed.

Best regards,
--
Eric Leblond <regit@inl.fr> for the NuFW Core Team
NuFW : http://www.nufw.org/

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: conntrack_fixed_timeout.patch --]
[-- Type: text/x-patch; name=conntrack_fixed_timeout.patch; charset=us-ascii, Size: 3414 bytes --]

Index: include/conntrack.h
===================================================================
--- include/conntrack.h	(révision 6575)
+++ include/conntrack.h	(copie de travail)
@@ -85,37 +85,40 @@
 	CT_OPT_TIMEOUT_BIT	= 5,
 	CT_OPT_TIMEOUT		= (1 << CT_OPT_TIMEOUT_BIT),
 
-	CT_OPT_STATUS_BIT	= 6,
+	CT_OPT_FIXED_TIMEOUT_BIT	= 6,
+	CT_OPT_FIXED_TIMEOUT		= (1 << CT_OPT_FIXED_TIMEOUT_BIT),
+
+	CT_OPT_STATUS_BIT	= 7,
 	CT_OPT_STATUS		= (1 << CT_OPT_STATUS_BIT),
 
-	CT_OPT_ZERO_BIT		= 7,
+	CT_OPT_ZERO_BIT		= 8,
 	CT_OPT_ZERO		= (1 << CT_OPT_ZERO_BIT),
 
-	CT_OPT_EVENT_MASK_BIT	= 8,
+	CT_OPT_EVENT_MASK_BIT	= 9,
 	CT_OPT_EVENT_MASK	= (1 << CT_OPT_EVENT_MASK_BIT),
 
-	CT_OPT_EXP_SRC_BIT	= 9,
+	CT_OPT_EXP_SRC_BIT	= 10,
 	CT_OPT_EXP_SRC		= (1 << CT_OPT_EXP_SRC_BIT),
 
-	CT_OPT_EXP_DST_BIT	= 10,
+	CT_OPT_EXP_DST_BIT	= 11,
 	CT_OPT_EXP_DST		= (1 << CT_OPT_EXP_DST_BIT),
 
-	CT_OPT_MASK_SRC_BIT	= 11,
+	CT_OPT_MASK_SRC_BIT	= 12,
 	CT_OPT_MASK_SRC		= (1 << CT_OPT_MASK_SRC_BIT),
 
-	CT_OPT_MASK_DST_BIT	= 12,
+	CT_OPT_MASK_DST_BIT	= 13,
 	CT_OPT_MASK_DST		= (1 << CT_OPT_MASK_DST_BIT),
 
-	CT_OPT_NATRANGE_BIT	= 13,
+	CT_OPT_NATRANGE_BIT	= 14,
 	CT_OPT_NATRANGE		= (1 << CT_OPT_NATRANGE_BIT),
 
-	CT_OPT_MARK_BIT		= 14,
+	CT_OPT_MARK_BIT		= 15,
 	CT_OPT_MARK		= (1 << CT_OPT_MARK_BIT),
 
-	CT_OPT_ID_BIT		= 15,
+	CT_OPT_ID_BIT		= 16,
 	CT_OPT_ID		= (1 << CT_OPT_ID_BIT),
 
-	CT_OPT_FAMILY_BIT	= 16,
+	CT_OPT_FAMILY_BIT	= 17,
 	CT_OPT_FAMILY		= (1 << CT_OPT_FAMILY_BIT),
 
 	CT_OPT_MAX_BIT		= CT_OPT_FAMILY_BIT
Index: src/conntrack.c
===================================================================
--- src/conntrack.c	(révision 6575)
+++ src/conntrack.c	(copie de travail)
@@ -80,6 +80,7 @@
 	{"reply-dst", 1, 0, 'q'},
 	{"protonum", 1, 0, 'p'},
 	{"timeout", 1, 0, 't'},
+	{"Timeout", 1, 0, 'T'},
 	{"status", 1, 0, 'u'},
 	{"zero", 0, 0, 'z'},
 	{"event-mask", 1, 0, 'e'},
@@ -569,6 +570,7 @@
 	"  -p, --protonum proto\t\tLayer 4 Protocol, eg. 'tcp'\n"
 	"  -f, --family proto\t\tLayer 3 Protocol, eg. 'ipv6'\n"
 	"  -t, --timeout timeout\t\tSet timeout\n"
+	"  -T, --Timeout fixed timeout\t\tSet fixed timeout\n"
 	"  -u, --status status\t\tSet status, eg. ASSURED\n"
 	"  -i, --id [id]\t\t\tShow or set conntrack ID\n"
 	;
@@ -595,6 +597,7 @@
 static struct nfct_conntrack *ct;
 static struct nfct_expect *exp;
 static unsigned long timeout;
+static unsigned long fixed_timeout;
 static unsigned int status;
 static unsigned int mark;
 static unsigned int id = NFCT_ANY_ID;
@@ -611,7 +614,7 @@
 	struct nfct_conntrack_compare *pcmp;
 
 	while ((c = getopt_long(argc, argv, 
-		"L::I::U::D::G::E::F::hVs:d:r:q:p:t:u:e:a:z[:]:{:}:m:i::f:", 
+		"L::I::U::D::G::E::F::hVs:d:r:q:p:t:T:u:e:a:z[:]:{:}:m:i::f:", 
 		opts, NULL)) != -1) {
 	switch(c) {
 		case 'L':
@@ -735,6 +738,12 @@
 			if (optarg)
 				timeout = atol(optarg);
 			break;
+		case 'T':
+			options |= CT_OPT_FIXED_TIMEOUT;
+			if (optarg)
+				fixed_timeout = atol(optarg);
+			break;
+
 		case 'u': {
 			if (!optarg)
 				continue;
@@ -974,6 +983,9 @@
 		ct = nfct_conntrack_alloc(&orig, &reply, timeout,
 					  &proto, status, mark, id,
 					  NULL);
+        if (options & CT_OPT_FIXED_TIMEOUT) {
+            ct->fixed_timeout = fixed_timeout;
+        }
 		if (!ct)
 			exit_error(OTHER_PROBLEM, "Not enough memory");
 		

[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[PATCH 2/3] fixed duration connection

[Eric Leblond]

[-- Attachment #1.1: Type: text/plain, Size: 192 bytes --]

Hi,

This patch adds support for fixed duration connection in
libnetfilter_conntrack.

Best regards,
--
Eric Leblond <regit@inl.fr> for the NuFW Core Team
NuFW : http://www.nufw.org/

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: libnetfilter_conntrack_fixed_timeout.patch --]
[-- Type: text/x-patch; name=libnetfilter_conntrack_fixed_timeout.patch; charset=us-ascii, Size: 4242 bytes --]

Index: include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
===================================================================
--- include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h	(révision 6575)
+++ include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h	(copie de travail)
@@ -29,6 +29,7 @@
 	CTA_HELP,
 	CTA_NAT,
 	CTA_TIMEOUT,
+	CTA_FIXED_TIMEOUT,
 	CTA_MARK,
 	CTA_COUNTERS_ORIG,
 	CTA_COUNTERS_REPLY,
Index: include/libnetfilter_conntrack/libnetfilter_conntrack.h
===================================================================
--- include/libnetfilter_conntrack/libnetfilter_conntrack.h	(révision 6575)
+++ include/libnetfilter_conntrack/libnetfilter_conntrack.h	(copie de travail)
@@ -89,6 +89,7 @@
 	struct nfct_tuple tuple[NFCT_DIR_MAX];
 	
 	u_int32_t 	timeout;
+	u_int32_t 	fixed_timeout;
 	u_int32_t	mark;
 	u_int32_t 	status;
 	u_int32_t	use;
@@ -125,19 +126,22 @@
 	NFCT_TIMEOUT_BIT = 2,
 	NFCT_TIMEOUT = (1 << NFCT_TIMEOUT_BIT),
 
-	NFCT_MARK_BIT = 3,
+        NFCT_FIXED_TIMEOUT_BIT = 3,
+	NFCT_FIXED_TIMEOUT = (1 << NFCT_FIXED_TIMEOUT_BIT),
+
+	NFCT_MARK_BIT = 4,
 	NFCT_MARK = (1 << NFCT_MARK_BIT),
 
-	NFCT_COUNTERS_ORIG_BIT = 4,
+	NFCT_COUNTERS_ORIG_BIT = 5,
 	NFCT_COUNTERS_ORIG = (1 << NFCT_COUNTERS_ORIG_BIT),
 
-	NFCT_COUNTERS_RPLY_BIT = 5,
+	NFCT_COUNTERS_RPLY_BIT = 6,
 	NFCT_COUNTERS_RPLY = (1 << NFCT_COUNTERS_RPLY_BIT),
 
-	NFCT_USE_BIT = 6,
+	NFCT_USE_BIT = 7,
 	NFCT_USE = (1 << NFCT_USE_BIT),
 
-	NFCT_ID_BIT = 7,
+	NFCT_ID_BIT = 8,
 	NFCT_ID = (1 << NFCT_ID_BIT)
 };
 
Index: src/libnetfilter_conntrack.c
===================================================================
--- src/libnetfilter_conntrack.c	(révision 6575)
+++ src/libnetfilter_conntrack.c	(copie de travail)
@@ -548,6 +548,11 @@
 		flags |= NFCT_TIMEOUT;
 	}
 	
+        if (cda[CTA_FIXED_TIMEOUT-1]) {
+		ct.fixed_timeout = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_FIXED_TIMEOUT-1]));
+		flags |= NFCT_FIXED_TIMEOUT;
+	}
+
 	if (cda[CTA_MARK-1]) {
 		ct.mark = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_MARK-1]));
 		flags |= NFCT_MARK;
@@ -596,6 +601,13 @@
 	return sprintf(buf, "%u ", ct->timeout);
 }
 
+int nfct_sprintf_fixed_timeout(char *buf, struct nfct_conntrack *ct)
+{
+	return sprintf(buf, "%u ", ct->fixed_timeout);
+}
+
+
+
 int nfct_sprintf_protoinfo(char *buf, struct nfct_conntrack *ct)
 {
 	int size = 0;
@@ -664,7 +676,10 @@
 	if (flags & NFCT_TIMEOUT)
 		size += nfct_sprintf_timeout(buf+size, ct);
 
-        if (flags & NFCT_PROTOINFO)
+	if (flags & NFCT_FIXED_TIMEOUT)
+		size += nfct_sprintf_fixed_timeout(buf+size, ct);
+
+    if (flags & NFCT_PROTOINFO)
 		size += nfct_sprintf_protoinfo(buf+size, ct);
 
 	size += nfct_sprintf_address(buf+size, &ct->tuple[NFCT_DIR_ORIGINAL]);
@@ -954,6 +969,7 @@
 	char buf[NFCT_BUFSIZE];
 	u_int32_t status = htonl(ct->status | IPS_CONFIRMED);
 	u_int32_t timeout = htonl(ct->timeout);
+	u_int32_t fixed_timeout = htonl(ct->fixed_timeout);
 	u_int32_t mark = htonl(ct->mark);
 	u_int8_t l3num = ct->tuple[NFCT_DIR_ORIGINAL].l3protonum;
 
@@ -975,6 +991,10 @@
 
 	nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_TIMEOUT, &timeout, 
 		       sizeof(u_int32_t));
+
+        if (fixed_timeout)
+	        nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_FIXED_TIMEOUT, &fixed_timeout, 
+		               sizeof(u_int32_t));
 	
 	if (ct->mark != 0)
 		nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_MARK, &mark,
@@ -993,6 +1013,7 @@
 	char buf[NFCT_BUFSIZE];
 	u_int32_t status = htonl(ct->status | IPS_CONFIRMED);
 	u_int32_t timeout = htonl(ct->timeout);
+	u_int32_t fixed_timeout = htonl(ct->fixed_timeout);
 	u_int32_t id = htonl(ct->id);
 	u_int32_t mark = htonl(ct->mark);
 	u_int8_t l3num = ct->tuple[NFCT_DIR_ORIGINAL].l3protonum;
@@ -1015,7 +1036,12 @@
 	if (ct->timeout != 0)
 		nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_TIMEOUT, &timeout, 
 			       sizeof(u_int32_t));
+
+        if (ct->fixed_timeout != 0)
+		nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_FIXED_TIMEOUT, &fixed_timeout, 
+			       sizeof(u_int32_t));
 	
+	
 	if (ct->mark != 0)
 		nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_MARK, &mark,
 			       sizeof(u_int32_t));

[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[PATCH 3/3] [RFC] fixed duration connection

[Eric Leblond]

[-- Attachment #1.1: Type: text/plain, Size: 314 bytes --]

Hi,

This adds support for fixed duration connection to the conntrack tool.

Example : 
	conntrack -U -T 30 ENTRY_SELECTOR
This set fixed timeout to 30 sec. After this delay, the connection is
destroyed.

Best regards,
--
Eric Leblond <regit@inl.fr> for the NuFW Core Team
NuFW : http://www.nufw.org/

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: conntrack_fixed_timeout.patch --]
[-- Type: text/x-patch; name=conntrack_fixed_timeout.patch; charset=us-ascii, Size: 3414 bytes --]

Index: include/conntrack.h
===================================================================
--- include/conntrack.h	(révision 6575)
+++ include/conntrack.h	(copie de travail)
@@ -85,37 +85,40 @@
 	CT_OPT_TIMEOUT_BIT	= 5,
 	CT_OPT_TIMEOUT		= (1 << CT_OPT_TIMEOUT_BIT),
 
-	CT_OPT_STATUS_BIT	= 6,
+	CT_OPT_FIXED_TIMEOUT_BIT	= 6,
+	CT_OPT_FIXED_TIMEOUT		= (1 << CT_OPT_FIXED_TIMEOUT_BIT),
+
+	CT_OPT_STATUS_BIT	= 7,
 	CT_OPT_STATUS		= (1 << CT_OPT_STATUS_BIT),
 
-	CT_OPT_ZERO_BIT		= 7,
+	CT_OPT_ZERO_BIT		= 8,
 	CT_OPT_ZERO		= (1 << CT_OPT_ZERO_BIT),
 
-	CT_OPT_EVENT_MASK_BIT	= 8,
+	CT_OPT_EVENT_MASK_BIT	= 9,
 	CT_OPT_EVENT_MASK	= (1 << CT_OPT_EVENT_MASK_BIT),
 
-	CT_OPT_EXP_SRC_BIT	= 9,
+	CT_OPT_EXP_SRC_BIT	= 10,
 	CT_OPT_EXP_SRC		= (1 << CT_OPT_EXP_SRC_BIT),
 
-	CT_OPT_EXP_DST_BIT	= 10,
+	CT_OPT_EXP_DST_BIT	= 11,
 	CT_OPT_EXP_DST		= (1 << CT_OPT_EXP_DST_BIT),
 
-	CT_OPT_MASK_SRC_BIT	= 11,
+	CT_OPT_MASK_SRC_BIT	= 12,
 	CT_OPT_MASK_SRC		= (1 << CT_OPT_MASK_SRC_BIT),
 
-	CT_OPT_MASK_DST_BIT	= 12,
+	CT_OPT_MASK_DST_BIT	= 13,
 	CT_OPT_MASK_DST		= (1 << CT_OPT_MASK_DST_BIT),
 
-	CT_OPT_NATRANGE_BIT	= 13,
+	CT_OPT_NATRANGE_BIT	= 14,
 	CT_OPT_NATRANGE		= (1 << CT_OPT_NATRANGE_BIT),
 
-	CT_OPT_MARK_BIT		= 14,
+	CT_OPT_MARK_BIT		= 15,
 	CT_OPT_MARK		= (1 << CT_OPT_MARK_BIT),
 
-	CT_OPT_ID_BIT		= 15,
+	CT_OPT_ID_BIT		= 16,
 	CT_OPT_ID		= (1 << CT_OPT_ID_BIT),
 
-	CT_OPT_FAMILY_BIT	= 16,
+	CT_OPT_FAMILY_BIT	= 17,
 	CT_OPT_FAMILY		= (1 << CT_OPT_FAMILY_BIT),
 
 	CT_OPT_MAX_BIT		= CT_OPT_FAMILY_BIT
Index: src/conntrack.c
===================================================================
--- src/conntrack.c	(révision 6575)
+++ src/conntrack.c	(copie de travail)
@@ -80,6 +80,7 @@
 	{"reply-dst", 1, 0, 'q'},
 	{"protonum", 1, 0, 'p'},
 	{"timeout", 1, 0, 't'},
+	{"Timeout", 1, 0, 'T'},
 	{"status", 1, 0, 'u'},
 	{"zero", 0, 0, 'z'},
 	{"event-mask", 1, 0, 'e'},
@@ -569,6 +570,7 @@
 	"  -p, --protonum proto\t\tLayer 4 Protocol, eg. 'tcp'\n"
 	"  -f, --family proto\t\tLayer 3 Protocol, eg. 'ipv6'\n"
 	"  -t, --timeout timeout\t\tSet timeout\n"
+	"  -T, --Timeout fixed timeout\t\tSet fixed timeout\n"
 	"  -u, --status status\t\tSet status, eg. ASSURED\n"
 	"  -i, --id [id]\t\t\tShow or set conntrack ID\n"
 	;
@@ -595,6 +597,7 @@
 static struct nfct_conntrack *ct;
 static struct nfct_expect *exp;
 static unsigned long timeout;
+static unsigned long fixed_timeout;
 static unsigned int status;
 static unsigned int mark;
 static unsigned int id = NFCT_ANY_ID;
@@ -611,7 +614,7 @@
 	struct nfct_conntrack_compare *pcmp;
 
 	while ((c = getopt_long(argc, argv, 
-		"L::I::U::D::G::E::F::hVs:d:r:q:p:t:u:e:a:z[:]:{:}:m:i::f:", 
+		"L::I::U::D::G::E::F::hVs:d:r:q:p:t:T:u:e:a:z[:]:{:}:m:i::f:", 
 		opts, NULL)) != -1) {
 	switch(c) {
 		case 'L':
@@ -735,6 +738,12 @@
 			if (optarg)
 				timeout = atol(optarg);
 			break;
+		case 'T':
+			options |= CT_OPT_FIXED_TIMEOUT;
+			if (optarg)
+				fixed_timeout = atol(optarg);
+			break;
+
 		case 'u': {
 			if (!optarg)
 				continue;
@@ -974,6 +983,9 @@
 		ct = nfct_conntrack_alloc(&orig, &reply, timeout,
 					  &proto, status, mark, id,
 					  NULL);
+        if (options & CT_OPT_FIXED_TIMEOUT) {
+            ct->fixed_timeout = fixed_timeout;
+        }
 		if (!ct)
 			exit_error(OTHER_PROBLEM, "Not enough memory");
 		

[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH 0/3] [RFC] fixed duration connection

[Patrick McHardy]

Eric Leblond wrote:
> Hi,
> 
> While working on NuFW development branch, we have had to
> implement policy just as :
>       * connection to server is authorised from 08h to 18h and
>         connection must be switched off at 18h.
> 
> Such features are frequently asked by customers or netfilter addicts but
> even with current conntrack related code, it can not be done cleanly.
> 
> Thus, we've added the notion of fixed duration before expiration to
> connection in the conntrack. (See extended information on bottom for
> details)
> 
> The following set of patches is against kernel (linus git tree),
> libnetfilter_conntrack, and conntrack tool.
> 
> -- Extended --
> 
> When trying to implement this feature with current connection tracking
> code, we have faced some issues :
>      1. userspace code has to duplicate conntrack entries, thus it's
>         complex and uses memory
>      2. there is no hope to have it done by a simple command line
>         (because of 1.)
>      3. if replication of conntrack in userspace is needed there will be
>         many synchronisation problems : stop and start of an
>         hypothetical "expiration" daemon would cause conntrack
>         duplication and/or loss of information ...
> 
> For this reason, we've worked on a simple kernel level implementation.
> This is done via a second "struct timer" that is added in connection
> structure. Activation of the timer, is for now done via userspace by
> using libnetfilter_conntrack or by using new option -T of the conntrack
> tool.

If I understand you correctly, a fixed timeout is just a timeout that
isn't refreshed, right? Why can't we just use the regular timers etc.
and add a flag that it should not be touched by ip_ct_refresh? This
would also eliminate the need for any ctnetlink changes since the
timeout value can already be specified.

Re: [PATCH 0/3] [RFC] fixed duration connection

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 1550 bytes --]

Le mercredi 05 avril 2006 à 15:57 +0200, Patrick McHardy a écrit :
> Eric Leblond wrote:
> > Hi,
> > 
> > While working on NuFW development branch, we have had to
> > implement policy just as :
> >       * connection to server is authorised from 08h to 18h and
> >         connection must be switched off at 18h.
> > For this reason, we've worked on a simple kernel level implementation.
> > This is done via a second "struct timer" that is added in connection
> > structure. Activation of the timer, is for now done via userspace by
> > using libnetfilter_conntrack or by using new option -T of the conntrack
> > tool.
> 
> If I understand you correctly, a fixed timeout is just a timeout that
> isn't refreshed, right?

Yes, exactly. 

>  Why can't we just use the regular timers etc.
> and add a flag that it should not be touched by ip_ct_refresh? This
> would also eliminate the need for any ctnetlink changes since the
> timeout value can already be specified.

This was my first attempt and this may be the good one. In fact I switch
to a second timer because we may have a fixed timeout that exceeds the
protocol timeout. Thus, connection may be removed far too long after
what's needed. For example, we could have an UDP connection with fixed
timeout of a couple day which is more than protool timeout.
In fact, this approach can introduces an overload of conntrack but the
second timer approach may cost more in term of timer handling.

BR,
--
Eric Leblond <eric@inl.fr>
NuFW : http://www.nufw.org




[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH 0/3] [RFC] fixed duration connection

[Eric Leblond]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Patrick McHardy wrote:
> Eric Leblond wrote:
>>For this reason, we've worked on a simple kernel level implementation.
>>This is done via a second "struct timer" that is added in connection
>>structure. Activation of the timer, is for now done via userspace by
>>using libnetfilter_conntrack or by using new option -T of the conntrack
>>tool.
> 
> 
> If I understand you correctly, a fixed timeout is just a timeout that
> isn't refreshed, right? Why can't we just use the regular timers etc.
> and add a flag that it should not be touched by ip_ct_refresh? This
> would also eliminate the need for any ctnetlink changes since the
> timeout value can already be specified.

A set of patch following this recommandation is to follow.

Big thanks to Patrick !
- --
Eric Leblond

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFENt9rnxA7CdMWjzIRAjj4AKCCLFCSsT1QRpJ1Cen4PlI0qKseeACfYChO
jlewNiF3gV8IifVWoMfxshI=
=uBaq
-----END PGP SIGNATURE-----

Re: [PATCH 1/3] [kernel patch] fixed duration connection

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 489 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Here's the patch against Linus git tree.

It simply modifies enum ip_conntrack_status by adding a
IPS_FIXED_TIMEOUT field. This field is then checked at refresh time.

- --
Regit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFENuA+nxA7CdMWjzIRAoedAKCOuZyfUK8CWq3k5UBzZSc+HP1slwCgh00S
PYw7RpDtK/3TwMByLfCihNk=
=+LK+
-----END PGP SIGNATURE-----

[-- Attachment #2: fixed_timeout-flag.patch --]
[-- Type: text/x-patch, Size: 4862 bytes --]

diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 3ff88c8..a827ce2 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -69,6 +69,13 @@ enum ip_conntrack_status {
 	/* Connection is dying (removed from lists), can not be unset. */
 	IPS_DYING_BIT = 9,
 	IPS_DYING = (1 << IPS_DYING_BIT),
+
+#if defined(CONFIG_IP_NF_CT_FIXED_TIMEOUT) || defined(CONFIG_NF_CT_FIXED_TIMEOUT)
+    /* Connection has fixed timeout. */
+	IPS_FIXED_TIMEOUT_BIT = 10,
+	IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
+#endif
+
 };
 
 /* Connection tracking event bits */
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h
diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h
index d54d7b2..44f6e33 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack.h
@@ -85,6 +85,7 @@ struct ip_conntrack
 	/* Timer function; drops refcnt when it goes off. */
 	struct timer_list timeout;
 
+
 #ifdef CONFIG_IP_NF_CT_ACCT
 	/* Accounting Information (same cache line as other written members) */
 	struct ip_conntrack_counter counters[IP_CT_DIR_MAX];
@@ -292,6 +293,13 @@ static inline int is_dying(struct ip_con
 	return test_bit(IPS_DYING_BIT, &ct->status);
 }
 
+#if defined(CONFIG_IP_NF_CT_FIXED_TIMEOUT) || defined(CONFIG_NF_CT_FIXED_TIMEOUT)
+static inline int is_fixedtimeout(struct ip_conntrack *ct)
+{
+	return test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status);
+}
+#endif
+
 extern unsigned int ip_conntrack_htable_size;
  
 #define CONNTRACK_STAT_INC(count) (__get_cpu_var(ip_conntrack_stat).count++)
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 77855cc..1f306ec 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -46,6 +46,18 @@ config IP_NF_CT_ACCT
 
 	  If unsure, say `N'.
 
+config IP_NF_CT_FIXED_TIMEOUT
+	bool "Connection tracking fixed timeout (EXPERIMENTAL)"
+	depends on EXPERIMENTAL && IP_NF_CONNTRACK
+	help
+	  If this option is enabled, the connection tracking code will
+	  be able to have connection that will expire automatically after
+          a given time.
+          
+	  This feature can be used with libnetfilter_conntrack library.
+
+	  If unsure, say `N'.
+
 config IP_NF_CONNTRACK_MARK
 	bool  'Connection mark tracking support'
 	depends on IP_NF_CONNTRACK
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index ceaabc1..44fa788 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -1130,18 +1130,27 @@ void __ip_ct_refresh_acct(struct ip_conn
 
 	write_lock_bh(&ip_conntrack_lock);
 
-	/* If not in hash table, timer will not be active yet */
-	if (!is_confirmed(ct)) {
-		ct->timeout.expires = extra_jiffies;
-		event = IPCT_REFRESH;
-	} else {
-		/* Need del_timer for race avoidance (may already be dying). */
-		if (del_timer(&ct->timeout)) {
-			ct->timeout.expires = jiffies + extra_jiffies;
-			add_timer(&ct->timeout);
-			event = IPCT_REFRESH;
-		}
-	}
+#if defined(CONFIG_IP_NF_CT_FIXED_TIMEOUT)  || defined(CONFIG_NF_CT_FIXED_TIMEOUT)
+    /* only update if this is not a fixed timeout */
+    if (! is_fixedtimeout(ct)){
+#endif
+        /* If not in hash table, timer will not be active yet */
+        if (!is_confirmed(ct)) {
+            ct->timeout.expires = extra_jiffies;
+            event = IPCT_REFRESH;
+        } else {
+            /* Need del_timer for race avoidance (may already be dying). */
+            if (del_timer(&ct->timeout)) {
+                ct->timeout.expires = jiffies + extra_jiffies;
+                add_timer(&ct->timeout);
+                event = IPCT_REFRESH;
+            }
+        }
+#if defined(CONFIG_IP_NF_CT_FIXED_TIMEOUT) 
+    } else {
+		DEBUGP("FIXED TIMEOUT: Not updating\n");
+    }
+#endif
 
 #ifdef CONFIG_IP_NF_CT_ACCT
 	if (do_acct) {
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index e2893ef..8c24fc4 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -60,6 +60,18 @@ config NF_CONNTRACK_MARK
 	  of packets, but this mark value is kept in the conntrack session
 	  instead of the individual packets.
 
+config CONFIG_NF_CT_FIXED_TIMEOUT
+	bool  "Connection with fixed expiration delay (EXPERIMENTAL)"
+	depends on EXPERIMENTAL && NF_CONNTRACK
+	help
+	  If this option is enabled, the connection tracking code will
+	  be able to have connection that will expire automatically after
+          a given time.
+          
+	  This feature can be used with libnetfilter_conntrack library.
+
+	  If unsure, say `N'.
+
 config NF_CONNTRACK_EVENTS
 	bool "Connection tracking events (EXPERIMENTAL)"
 	depends on EXPERIMENTAL && NF_CONNTRACK

Re: [PATCH 2/3] [libnetfilter_conntrack] fixed duration connection

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 75 bytes --]

Hi,

This patch add support for the IPS_FIXED_TIMEOUT state.

BR,
--
Regit

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: libnetfilter_conntrack_fixed_timeout-flag.patch --]
[-- Type: text/x-patch; name="libnetfilter_conntrack_fixed_timeout-flag.patch", Size: 4108 bytes --]

Index: include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
===================================================================
--- include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h	(révision 6576)
+++ include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h	(copie de travail)
@@ -29,6 +29,7 @@
 	CTA_HELP,
 	CTA_NAT,
 	CTA_TIMEOUT,
+	CTA_FIXED_TIMEOUT,
 	CTA_MARK,
 	CTA_COUNTERS_ORIG,
 	CTA_COUNTERS_REPLY,
Index: include/libnetfilter_conntrack/libnetfilter_conntrack.h
===================================================================
--- include/libnetfilter_conntrack/libnetfilter_conntrack.h	(révision 6576)
+++ include/libnetfilter_conntrack/libnetfilter_conntrack.h	(copie de travail)
@@ -89,6 +89,7 @@
 	struct nfct_tuple tuple[NFCT_DIR_MAX];
 	
 	u_int32_t 	timeout;
+	u_int32_t 	fixed_timeout;
 	u_int32_t	mark;
 	u_int32_t 	status;
 	u_int32_t	use;
@@ -125,19 +126,22 @@
 	NFCT_TIMEOUT_BIT = 2,
 	NFCT_TIMEOUT = (1 << NFCT_TIMEOUT_BIT),
 
-	NFCT_MARK_BIT = 3,
+        NFCT_FIXED_TIMEOUT_BIT = 3,
+	NFCT_FIXED_TIMEOUT = (1 << NFCT_FIXED_TIMEOUT_BIT),
+
+	NFCT_MARK_BIT = 4,
 	NFCT_MARK = (1 << NFCT_MARK_BIT),
 
-	NFCT_COUNTERS_ORIG_BIT = 4,
+	NFCT_COUNTERS_ORIG_BIT = 5,
 	NFCT_COUNTERS_ORIG = (1 << NFCT_COUNTERS_ORIG_BIT),
 
-	NFCT_COUNTERS_RPLY_BIT = 5,
+	NFCT_COUNTERS_RPLY_BIT = 6,
 	NFCT_COUNTERS_RPLY = (1 << NFCT_COUNTERS_RPLY_BIT),
 
-	NFCT_USE_BIT = 6,
+	NFCT_USE_BIT = 7,
 	NFCT_USE = (1 << NFCT_USE_BIT),
 
-	NFCT_ID_BIT = 7,
+	NFCT_ID_BIT = 8,
 	NFCT_ID = (1 << NFCT_ID_BIT)
 };
 
Index: src/libnetfilter_conntrack.c
===================================================================
--- src/libnetfilter_conntrack.c	(révision 6576)
+++ src/libnetfilter_conntrack.c	(copie de travail)
@@ -548,6 +548,11 @@
 		flags |= NFCT_TIMEOUT;
 	}
 	
+        if (cda[CTA_FIXED_TIMEOUT-1]) {
+		ct.fixed_timeout = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_FIXED_TIMEOUT-1]));
+		flags |= NFCT_FIXED_TIMEOUT;
+	}
+
 	if (cda[CTA_MARK-1]) {
 		ct.mark = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_MARK-1]));
 		flags |= NFCT_MARK;
@@ -596,6 +601,13 @@
 	return sprintf(buf, "%u ", ct->timeout);
 }
 
+int nfct_sprintf_fixed_timeout(char *buf, struct nfct_conntrack *ct)
+{
+	return sprintf(buf, "%u ", ct->fixed_timeout);
+}
+
+
+
 int nfct_sprintf_protoinfo(char *buf, struct nfct_conntrack *ct)
 {
 	int size = 0;
@@ -664,7 +676,10 @@
 	if (flags & NFCT_TIMEOUT)
 		size += nfct_sprintf_timeout(buf+size, ct);
 
-        if (flags & NFCT_PROTOINFO)
+	if (flags & NFCT_FIXED_TIMEOUT)
+		size += nfct_sprintf_fixed_timeout(buf+size, ct);
+
+    if (flags & NFCT_PROTOINFO)
 		size += nfct_sprintf_protoinfo(buf+size, ct);
 
 	size += nfct_sprintf_address(buf+size, &ct->tuple[NFCT_DIR_ORIGINAL]);
@@ -954,6 +969,7 @@
 	char buf[NFCT_BUFSIZE];
 	u_int32_t status = htonl(ct->status | IPS_CONFIRMED);
 	u_int32_t timeout = htonl(ct->timeout);
+	u_int32_t fixed_timeout = htonl(ct->fixed_timeout);
 	u_int32_t mark = htonl(ct->mark);
 	u_int8_t l3num = ct->tuple[NFCT_DIR_ORIGINAL].l3protonum;
 
@@ -975,6 +991,10 @@
 
 	nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_TIMEOUT, &timeout, 
 		       sizeof(u_int32_t));
+
+        if (fixed_timeout)
+	        nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_FIXED_TIMEOUT, &fixed_timeout, 
+		               sizeof(u_int32_t));
 	
 	if (ct->mark != 0)
 		nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_MARK, &mark,
@@ -993,6 +1013,7 @@
 	char buf[NFCT_BUFSIZE];
 	u_int32_t status = htonl(ct->status | IPS_CONFIRMED);
 	u_int32_t timeout = htonl(ct->timeout);
+	u_int32_t fixed_timeout = htonl(ct->fixed_timeout);
 	u_int32_t id = htonl(ct->id);
 	u_int32_t mark = htonl(ct->mark);
 	u_int8_t l3num = ct->tuple[NFCT_DIR_ORIGINAL].l3protonum;
@@ -1015,7 +1036,12 @@
 	if (ct->timeout != 0)
 		nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_TIMEOUT, &timeout, 
 			       sizeof(u_int32_t));
+
+        if (ct->fixed_timeout != 0)
+		nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_FIXED_TIMEOUT, &fixed_timeout, 
+			       sizeof(u_int32_t));
 	
+	
 	if (ct->mark != 0)
 		nfnl_addattr_l(&req->nlh, sizeof(buf), CTA_MARK, &mark,
 			       sizeof(u_int32_t));

Re: [PATCH 0/3] [conntrack] fixed duration connection

[Eric Leblond]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

This patch against conntrack tool adds support for fixed connection. for
example  :
 conntrack  -U -d 153.113.34.136 -s 192.168.11.32 -p tcp \\
	--orig-port-src 59119 --orig-port-dst 22 -t 10 \\
	-u ASSURED,SEEN_REPLY,FIXED_TIMEOUT
will fix timeout of connection to 10 seconds after command.

BR,
- --
Regit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFENuFWnxA7CdMWjzIRAqu2AJ4oOokoHVGh5KWxBv/nahkc4OtIDwCfRsqV
bPL3bs87V4eM/ymbSlnP/vc=
=IjGO
-----END PGP SIGNATURE-----

Re: [PATCH 3/3] [conntrack] fixed duration connection

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 717 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi again,

This is better with the patch...

All my apologies

BR,

Eric Leblond wrote:
> Hi,
> 
> This patch against conntrack tool adds support for fixed connection. for
> example  :
>  conntrack  -U -d 153.113.34.136 -s 192.168.11.32 -p tcp \\
> 	--orig-port-src 59119 --orig-port-dst 22 -t 10 \\
> 	-u ASSURED,SEEN_REPLY,FIXED_TIMEOUT
> will fix timeout of connection to 10 seconds after command.
> 
> BR,


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFENuLEnxA7CdMWjzIRAiKaAJ9tC+/xQ44ibVF1ioAakWn9JC7mbgCdFGiO
vZLLCcIN08G45vaNsru4TAw=
=BWXz
-----END PGP SIGNATURE-----

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: conntrack_fixed_timeout-flag.patch --]
[-- Type: text/x-patch; name="conntrack_fixed_timeout-flag.patch", Size: 830 bytes --]

Index: src/conntrack.c
===================================================================
--- src/conntrack.c	(révision 6578)
+++ src/conntrack.c	(copie de travail)
@@ -335,13 +335,13 @@
 #define PARSE_MAX 2
 
 static struct parse_parameter {
-	char 	*parameter[5];
+	char 	*parameter[6];
 	size_t  size;
-	unsigned int value[5];
+	unsigned int value[6];
 } parse_array[PARSE_MAX] = {
-	{ {"ASSURED", "SEEN_REPLY", "UNSET", "SRC_NAT", "DST_NAT"}, 5,
+	{ {"ASSURED", "SEEN_REPLY", "UNSET", "SRC_NAT", "DST_NAT","FIXED_TIMEOUT"}, 6,
 	  { IPS_ASSURED, IPS_SEEN_REPLY, 0, 
-	    IPS_SRC_NAT_DONE, IPS_DST_NAT_DONE} },
+	    IPS_SRC_NAT_DONE, IPS_DST_NAT_DONE, IPS_FIXED_TIMEOUT} },
 	{ {"ALL", "NEW", "UPDATES", "DESTROY"}, 4,
 	  {~0U, NF_NETLINK_CONNTRACK_NEW, NF_NETLINK_CONNTRACK_UPDATE, 
 	   NF_NETLINK_CONNTRACK_DESTROY} },

Re: [PATCH 1/3] [kernel patch] fixed duration connection

[Patrick McHardy]

Eric Leblond wrote:
> Hi,
> 
> Here's the patch against Linus git tree.

I don't have any principle objections against merging this (if
there are no objections from others), a couple of comments
on the patch though.


+#if defined(CONFIG_IP_NF_CT_FIXED_TIMEOUT) ||
defined(CONFIG_NF_CT_FIXED_TIMEOUT)
+    /* Connection has fixed timeout. */
+	IPS_FIXED_TIMEOUT_BIT = 10,
+	IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
+#endif

Probably not worth adding a config option for this.

+
 };


@@ -85,6 +85,7 @@ struct ip_conntrack
 	/* Timer function; drops refcnt when it goes off. */
 	struct timer_list timeout;

+

Please remove this.

 #ifdef CONFIG_IP_NF_CT_ACCT
 	/* Accounting Information (same cache line as other written members) */
 	struct ip_conntrack_counter counters[IP_CT_DIR_MAX];
@@ -292,6 +293,13 @@ static inline int is_dying(struct ip_con
 	return test_bit(IPS_DYING_BIT, &ct->status);
 }

+#if defined(CONFIG_IP_NF_CT_FIXED_TIMEOUT) ||
defined(CONFIG_NF_CT_FIXED_TIMEOUT)
+static inline int is_fixedtimeout(struct ip_conntrack *ct)
+{
+	return test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status);
+}
+#endif

I guess without a seperate config option we don't need this function
anymore.
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c
b/net/ipv4/netfilter/ip_conntrack_core.c
index ceaabc1..44fa788 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -1130,18 +1130,27 @@ void __ip_ct_refresh_acct(struct ip_conn

 	write_lock_bh(&ip_conntrack_lock);

-	/* If not in hash table, timer will not be active yet */
-	if (!is_confirmed(ct)) {
-		ct->timeout.expires = extra_jiffies;
-		event = IPCT_REFRESH;
-	} else {
-		/* Need del_timer for race avoidance (may already be dying). */
-		if (del_timer(&ct->timeout)) {
-			ct->timeout.expires = jiffies + extra_jiffies;
-			add_timer(&ct->timeout);
-			event = IPCT_REFRESH;
-		}
-	}
+#if defined(CONFIG_IP_NF_CT_FIXED_TIMEOUT)  ||
defined(CONFIG_NF_CT_FIXED_TIMEOUT)
+    /* only update if this is not a fixed timeout */
+    if (! is_fixedtimeout(ct)){
+#endif
+        /* If not in hash table, timer will not be active yet */
+        if (!is_confirmed(ct)) {
+            ct->timeout.expires = extra_jiffies;
+            event = IPCT_REFRESH;
+        } else {
+            /* Need del_timer for race avoidance (may already be dying). */
+            if (del_timer(&ct->timeout)) {
+                ct->timeout.expires = jiffies + extra_jiffies;
+                add_timer(&ct->timeout);
+                event = IPCT_REFRESH;
+            }
+        }
+#if defined(CONFIG_IP_NF_CT_FIXED_TIMEOUT)
+    } else {
+		DEBUGP("FIXED TIMEOUT: Not updating\n");
+    }
+#endif

Please just do a simple

if (!test_bit(...))
	return;

at the beginning.

Re: [PATCH 2/3] [libnetfilter_conntrack] fixed duration connection

[Patrick McHardy]

Eric Leblond wrote:
> Hi,
> 
> This patch add support for the IPS_FIXED_TIMEOUT state.
> 
> BR,
> --
> Regit
> 
> 
> ------------------------------------------------------------------------
> 
> Index: include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h
> ===================================================================
> --- include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h	(révision 6576)
> +++ include/libnetfilter_conntrack/linux_nfnetlink_conntrack.h	(copie de travail)
> @@ -29,6 +29,7 @@
>  	CTA_HELP,
>  	CTA_NAT,
>  	CTA_TIMEOUT,
> +	CTA_FIXED_TIMEOUT,
>  	CTA_MARK,
>  	CTA_COUNTERS_ORIG,
>  	CTA_COUNTERS_REPLY,

I didn't see the patch adding support for this in the kernel. Since
there is no seperate fixed timeout anymore, this also looks obsolete.
The way I understood the kernel patch, you would just do two netlink
operations:

- set flag FIXED_TIMEOUT
- change timeout using CTA_TIMEOUT

Am I missing something?

Re: [PATCH 2/3] [libnetfilter_conntrack] fixed duration connection

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 637 bytes --]

Patrick McHardy wrote:
> Eric Leblond wrote:
> 
>>Hi,
>>
>>This patch add support for the IPS_FIXED_TIMEOUT state.

> I didn't see the patch adding support for this in the kernel. Since
> there is no seperate fixed timeout anymore, this also looks obsolete.
> The way I understood the kernel patch, you would just do two netlink
> operations:
> 
> - set flag FIXED_TIMEOUT
> - change timeout using CTA_TIMEOUT
> 
> Am I missing something?

Clearly not. I was a little bit too tired yesterday and I've done a "svn
diff" in the bad directory. Please ignore previous patch and consider
this far smaller one.

Best regards,
--
Eric Leblond


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: libnetfilter_conntrack_fixed_timeout-flag.patch --]
[-- Type: text/x-patch; name="libnetfilter_conntrack_fixed_timeout-flag.patch", Size: 574 bytes --]

Index: include/libnetfilter_conntrack/libnetfilter_conntrack.h
===================================================================
--- include/libnetfilter_conntrack/libnetfilter_conntrack.h	(révision 6578)
+++ include/libnetfilter_conntrack/libnetfilter_conntrack.h	(copie de travail)
@@ -191,6 +191,11 @@
 	/* Connection is dying (removed from lists), can not be unset. */
 	IPS_DYING_BIT = 9,
 	IPS_DYING = (1 << IPS_DYING_BIT),
+
+    /* Connection has fixed timeout. */
+	IPS_FIXED_TIMEOUT_BIT = 10,
+	IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
+
 };
 
 enum {

Re: [PATCH 1/3] [kernel patch] fixed duration connection

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 679 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi again,

I followed your recommendation and here's the patch.

Patrick McHardy wrote:
> Eric Leblond wrote:
> 
>>Hi,
>>
>>Here's the patch against Linus git tree.
> 
> 
> I don't have any principle objections against merging this (if
> there are no objections from others), a couple of comments
> on the patch though.

BR and thanks a lot for your help,
- --
Eric Leblond
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEOCNKnxA7CdMWjzIRAuVlAJ9v75j2WeEvMAJVqDekgOxzTRmHQwCcDN5B
sdtE712lSkUuG25DMBB9v+w=
=K6vk
-----END PGP SIGNATURE-----

[-- Attachment #2: fixed_timeout-flag.patch --]
[-- Type: text/x-patch, Size: 1942 bytes --]

diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 3ff88c8..68d282d 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -69,6 +69,11 @@ enum ip_conntrack_status {
 	/* Connection is dying (removed from lists), can not be unset. */
 	IPS_DYING_BIT = 9,
 	IPS_DYING = (1 << IPS_DYING_BIT),
+
+    /* Connection has fixed timeout. */
+	IPS_FIXED_TIMEOUT_BIT = 10,
+	IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
+
 };
 
 /* Connection tracking event bits */
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index ceaabc1..d9dbe0f 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -1130,18 +1130,21 @@ void __ip_ct_refresh_acct(struct ip_conn
 
 	write_lock_bh(&ip_conntrack_lock);
 
-	/* If not in hash table, timer will not be active yet */
-	if (!is_confirmed(ct)) {
-		ct->timeout.expires = extra_jiffies;
-		event = IPCT_REFRESH;
-	} else {
-		/* Need del_timer for race avoidance (may already be dying). */
-		if (del_timer(&ct->timeout)) {
-			ct->timeout.expires = jiffies + extra_jiffies;
-			add_timer(&ct->timeout);
-			event = IPCT_REFRESH;
-		}
-	}
+    /* only update if this is not a fixed timeout */
+    if (! test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status)){
+        /* If not in hash table, timer will not be active yet */
+        if (!is_confirmed(ct)) {
+            ct->timeout.expires = extra_jiffies;
+            event = IPCT_REFRESH;
+        } else {
+            /* Need del_timer for race avoidance (may already be dying). */
+            if (del_timer(&ct->timeout)) {
+                ct->timeout.expires = jiffies + extra_jiffies;
+                add_timer(&ct->timeout);
+                event = IPCT_REFRESH;
+            }
+        }
+    }
 
 #ifdef CONFIG_IP_NF_CT_ACCT
 	if (do_acct) {

Re: [PATCH 1/3] [kernel patch] fixed duration connection

[Patrick McHardy]

Eric Leblond wrote:
> I followed your recommendation and here's the patch.

Seems you missed one in the noise :)

------------------------------------------------------------------------

diff --git a/net/ipv4/netfilter/ip_conntrack_core.c
b/net/ipv4/netfilter/ip_conntrack_core.c
index ceaabc1..d9dbe0f 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -1130,18 +1130,21 @@ void __ip_ct_refresh_acct(struct ip_conn

 	write_lock_bh(&ip_conntrack_lock);
-------
Please just do:
	if (test_bit(...))
		return;
-------

-	/* If not in hash table, timer will not be active yet */
-	if (!is_confirmed(ct)) {
-		ct->timeout.expires = extra_jiffies;
-		event = IPCT_REFRESH;
-	} else {
-		/* Need del_timer for race avoidance (may already be dying). */
-		if (del_timer(&ct->timeout)) {
-			ct->timeout.expires = jiffies + extra_jiffies;
-			add_timer(&ct->timeout);
-			event = IPCT_REFRESH;
-		}
-	}
+    /* only update if this is not a fixed timeout */
+    if (! test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status)){
+        /* If not in hash table, timer will not be active yet */
+        if (!is_confirmed(ct)) {
+            ct->timeout.expires = extra_jiffies;
+            event = IPCT_REFRESH;
+        } else {
+            /* Need del_timer for race avoidance (may already be dying). */
+            if (del_timer(&ct->timeout)) {
+                ct->timeout.expires = jiffies + extra_jiffies;
+                add_timer(&ct->timeout);
+                event = IPCT_REFRESH;
+            }
+        }
+    }

 #ifdef CONFIG_IP_NF_CT_ACCT
 	if (do_acct) {

Re: [PATCH 1/3] [kernel patch] fixed duration connection

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 355 bytes --]

Patrick McHardy wrote:
> Eric Leblond wrote:
> 
>>I followed your recommendation and here's the patch.
> 
> 
> Seems you missed one in the noise :)

Here it is.

Thank you very much for your patience.

humm, google define:patience gives me :
	good-natured tolerance of delay or incompetence
Definition looks really good this time ;-)

BR,
--
Eric Leblond

[-- Attachment #2: fixed_timeout-flag.patch --]
[-- Type: text/x-patch, Size: 1145 bytes --]

diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 3ff88c8..68d282d 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -69,6 +69,11 @@ enum ip_conntrack_status {
 	/* Connection is dying (removed from lists), can not be unset. */
 	IPS_DYING_BIT = 9,
 	IPS_DYING = (1 << IPS_DYING_BIT),
+
+    /* Connection has fixed timeout. */
+	IPS_FIXED_TIMEOUT_BIT = 10,
+	IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
+
 };
 
 /* Connection tracking event bits */
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index ceaabc1..b3d2f92 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -1130,6 +1130,10 @@ void __ip_ct_refresh_acct(struct ip_conn
 
 	write_lock_bh(&ip_conntrack_lock);
 
+	/* Only update if this is not a fixed timeout */
+	if (! test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status))
+		return;
+
 	/* If not in hash table, timer will not be active yet */
 	if (!is_confirmed(ct)) {
 		ct->timeout.expires = extra_jiffies;

Re: [PATCH 1/3] [kernel patch] fixed duration connection

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1120 bytes --]

On Sat, Apr 08, 2006 at 09:56:52PM +0200, Patrick McHardy wrote:
> I don't have any principle objections against merging this (if
> there are no objections from others), a couple of comments
> on the patch though.

Well, if we merge it for ip_conntrack, we _have_ to also merge it into
nf_conntrack for consistency reasons.

> +#if defined(CONFIG_IP_NF_CT_FIXED_TIMEOUT) ||
> defined(CONFIG_NF_CT_FIXED_TIMEOUT)
> +    /* Connection has fixed timeout. */
> +	IPS_FIXED_TIMEOUT_BIT = 10,
> +	IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
> +#endif
> 
> Probably not worth adding a config option for this.

not for the bit, but in general we would need one, otherwise we have an
(extremely large) timer entry per conntrack...

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH 1/3] [kernel patch] fixed duration connection

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 722 bytes --]

On Wed, Apr 12, 2006 at 10:38:36AM +0200, Harald Welte wrote:

> not for the bit, but in general we would need one, otherwise we have an
> (extremely large) timer entry per conntrack...

Sorry, I read the wrong version of the patch.  Ignore that comment ;)

I don't think we need a config option, but actually could enable this
statically.

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH 1/3] [kernel patch] fixed duration connection

[Patrick McHardy]

Harald Welte wrote:
> I don't think we need a config option, but actually could enable this
> statically.

OK, I'm going to queue this for 2.6.18 then.

Eric, can you please add nf_conntrack support and repost the entire
patchset? Thanks.

Re: [PATCH 1/3] [kernel patch] fixed duration connection

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 564 bytes --]

> Harald Welte wrote:
>> I don't think we need a config option, but actually could enable this
>> statically.
>
> OK, I'm going to queue this for 2.6.18 then.

That's a GREAT news, I've already found peoples that love this new feature.

>
> Eric, can you please add nf_conntrack support and repost the entire
> patchset? Thanks.

Here it is.

I've done
       if (test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status)){
               write_unlock_bh(&ip_conntrack_lock);
               return;
       }
to unlock before leaving the function.

Best regards,
--
Eric Leblond

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: fixed_timeout-flag.patch --]
[-- Type: text/x-patch; name="fixed_timeout-flag.patch", Size: 2117 bytes --]

diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 3ff88c8..68d282d 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -69,6 +69,11 @@ enum ip_conntrack_status {
 	/* Connection is dying (removed from lists), can not be unset. */
 	IPS_DYING_BIT = 9,
 	IPS_DYING = (1 << IPS_DYING_BIT),
+
+    /* Connection has fixed timeout. */
+	IPS_FIXED_TIMEOUT_BIT = 10,
+	IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
+
 };
 
 /* Connection tracking event bits */
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h
diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index ceaabc1..d34edd7 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -1130,6 +1130,12 @@ void __ip_ct_refresh_acct(struct ip_conn
 
 	write_lock_bh(&ip_conntrack_lock);
 
+	/* Only update if this is not a fixed timeout */
+	if (test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status)){
+		write_unlock_bh(&ip_conntrack_lock);
+		return;
+	}
+
 	/* If not in hash table, timer will not be active yet */
 	if (!is_confirmed(ct)) {
 		ct->timeout.expires = extra_jiffies;
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 56389c8..a880692 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1403,6 +1403,12 @@ void __nf_ct_refresh_acct(struct nf_conn
 
 	write_lock_bh(&nf_conntrack_lock);
 
+	/* Only update if this is not a fixed timeout */
+	if (test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status)) {
+		write_unlock_bh(&nf_conntrack_lock);
+		return;
+	}
+
 	/* If not in hash table, timer will not be active yet */
 	if (!nf_ct_is_confirmed(ct)) {
 		ct->timeout.expires = extra_jiffies;

Re: [PATCH 1/3] [kernel patch] fixed duration connection

[Patrick McHardy]

Eric Leblond wrote:

>>Eric, can you please add nf_conntrack support and repost the entire
>>patchset? Thanks.
> 
> 
> Here it is.

Thanks. Now all I need is a Signed-off-by: line :)
Please send one for your ctnetlink fix as well.

Re: [PATCH 1/3] [kernel patch] fixed duration connection

[Eric Leblond]

[-- Attachment #1.1: Type: text/plain, Size: 365 bytes --]

Le vendredi 21 avril 2006 à 04:30 +0200, Patrick McHardy a écrit :
> Eric Leblond wrote:
> Thanks. Now all I need is a Signed-off-by: line :)
> Please send one for your ctnetlink fix as well.

I attach it to the mail and I hope this is ok. I stupidly did not manage
to get an autmotic way to add the Signed-off-by ...

BR,
-- 
Eric Leblond <eric@inl.fr>

[-- Attachment #1.2: fixed_timeout.patch --]
[-- Type: text/x-patch, Size: 2071 bytes --]

Signed-off-by: Eric Leblond <eric@inl.fr>

---
Add fixed timeout flag in connection tracking

Add a flag in a connection status to have a non updated timeout.
This permits to have connection that automatically dye at a given
time.

diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 3ff88c8..68d282d 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -69,6 +69,11 @@ enum ip_conntrack_status {
 	/* Connection is dying (removed from lists), can not be unset. */
 	IPS_DYING_BIT = 9,
 	IPS_DYING = (1 << IPS_DYING_BIT),
+
+    /* Connection has fixed timeout. */
+	IPS_FIXED_TIMEOUT_BIT = 10,
+	IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
+
 };
 
 /* Connection tracking event bits */
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index ceaabc1..d34edd7 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -1130,6 +1130,12 @@ void __ip_ct_refresh_acct(struct ip_conn
 
 	write_lock_bh(&ip_conntrack_lock);
 
+	/* Only update if this is not a fixed timeout */
+	if (test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status)){
+		write_unlock_bh(&ip_conntrack_lock);
+		return;
+	}
+
 	/* If not in hash table, timer will not be active yet */
 	if (!is_confirmed(ct)) {
 		ct->timeout.expires = extra_jiffies;
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 56389c8..a880692 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1403,6 +1403,12 @@ void __nf_ct_refresh_acct(struct nf_conn
 
 	write_lock_bh(&nf_conntrack_lock);
 
+	/* Only update if this is not a fixed timeout */
+	if (test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status)) {
+		write_unlock_bh(&nf_conntrack_lock);
+		return;
+	}
+
 	/* If not in hash table, timer will not be active yet */
 	if (!nf_ct_is_confirmed(ct)) {
 		ct->timeout.expires = extra_jiffies;

[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 191 bytes --]

Re: [PATCH 1/3] [kernel patch] fixed duration connection

[Patrick McHardy]

Eric Leblond wrote:
> Le vendredi 21 avril 2006 à 04:30 +0200, Patrick McHardy a écrit :
> 
>>Eric Leblond wrote:
>>Thanks. Now all I need is a Signed-off-by: line :)
>>Please send one for your ctnetlink fix as well.
> 
> 
> I attach it to the mail and I hope this is ok. I stupidly did not manage
> to get an autmotic way to add the Signed-off-by ...

Applied, thanks. Both your patches had whitespace damage I
had to fix up manually though. Please try to avoid this
in the future.

(Stripping trailing CRs from patch.)
patching file include/linux/netfilter/nf_conntrack_common.h
(Stripping trailing CRs from patch.)
patching file net/ipv4/netfilter/ip_conntrack_core.c
(Stripping trailing CRs from patch.)
patching file net/netfilter/nf_conntrack_core.c

+    /* Connection has fixed timeout. */
^^^^ should be tab
+	IPS_FIXED_TIMEOUT_BIT = 10,

+	if (test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status)){
                                                         ^ missing space