Re: remove connections notification by conntrack?

[Pablo Neira Ayuso <pablo@netfilter.org>]

Thomas Mader wrote:
> Hello,
> 
> We wrote a netfilter module which is using conntrack to distinguish different 
> connections. We only need this for UDP "connections" and we use the following 
> functions from conntrack to achieve that.
> 
> 	proto = ip_conntrack_proto_find_get(skb->nh.iph->protocol);
> 	if (ip_ct_get_tuple(skb->nh.iph, skb, skb->nh.iph->ihl*4, &tuple,proto)) {
> 		h = ip_conntrack_find_get(&tuple, NULL);
> 		....
> 	}
> 
> We use the connection IDs of conntrack to distinguish between the connections 
> within a list.
> The problem we are having is that we also need to delete entries out of that 
> list if a connection is going to be removed but we didn't find a proper 
> solution to that.
> We tried to define a function for ip_conntrack_destroyed but this doesn't seem 
> to be called properly because when a UDP connection is removed 
> from /proc/net/ip_conntrack the function will not be called. Nevertheless the 
> function is called but with, for us, unknown connection IDs and to strange 
> times.
> This method also doesn't seem to be a good solution because NAT seems to be 
> using it and this would mean we would get troubles if our module is running 
> while NAT is running too.
> 
> We also tried the notifier system of conntrack with registering on it. 
> (ip_conntrack_register_notifier(&nb);)
> But this doesn't seem to give us the needed information.
> 
> Now the question for us is, if we can somehow implement a nice solution for 
> this.
> Does somebody know of such a solution?

Could you post the code?

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of 
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris