* Patch: add id to libnetfilter_conntrack XML export
@ 2007-01-05 13:27 Victor Stinner
2007-01-05 14:45 ` Pablo Neira Ayuso
0 siblings, 1 reply; 4+ messages in thread
From: Victor Stinner @ 2007-01-05 13:27 UTC (permalink / raw)
To: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 312 bytes --]
Hi,
I heard that connection identifiers may disappear. Is it true? I like unique
identifier because it's small (only 32 bits) and easy to manipulate. It's
hard to identify a connection without such identifier.
I attached a patch to add connection identifier to XML export.
Victor Stinner
http://www.inl.fr/
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: libnetfilter_conntrack_xml_id.patch --]
[-- Type: text/x-diff; charset="us-ascii"; name="libnetfilter_conntrack_xml_id.patch", Size: 570 bytes --]
Index: src/conntrack/snprintf_xml.c
===================================================================
--- src/conntrack/snprintf_xml.c (révision 6720)
+++ src/conntrack/snprintf_xml.c (copie de travail)
@@ -364,6 +364,13 @@
buffer_size(ret, &size, &len);
}
+ if (test_bit(ATTR_ID, ct->set)) {
+ ret = snprintf(buf+size, len, "<id>%u</id>", ct->id);
+ if (ret == -1)
+ return -1;
+ buffer_size(ret, &size, &len);
+ }
+
if (test_bit(ATTR_MARK, ct->set)) {
ret = snprintf(buf+size, len, "<mark>%u</mark>", ct->mark);
if (ret == -1)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Patch: add id to libnetfilter_conntrack XML export
2007-01-05 13:27 Patch: add id to libnetfilter_conntrack XML export Victor Stinner
@ 2007-01-05 14:45 ` Pablo Neira Ayuso
[not found] ` <200701051618.09855.victor.stinner@inl.fr>
0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2007-01-05 14:45 UTC (permalink / raw)
To: Victor Stinner; +Cc: netfilter-devel
Victor Stinner wrote:
> I heard that connection identifiers may disappear. Is it true? I like unique
> identifier because it's small (only 32 bits) and easy to manipulate. It's
> hard to identify a connection without such identifier.
Indeed, it's planned to get rid of the id. We resolved that the tuple
src/dst/port-src/port-dst/l3protonum/l4protonum is enough to identify a
conntrack.
--
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Patch: add id to libnetfilter_conntrack XML export
[not found] ` <200701051618.09855.victor.stinner@inl.fr>
@ 2007-01-05 22:44 ` Pablo Neira Ayuso
2007-01-11 13:00 ` Amin Azez
0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2007-01-05 22:44 UTC (permalink / raw)
To: Netfilter Development Mailinglist; +Cc: Victor Stinner
Hi Victor,
Victor Stinner wrote:
> Le Vendredi 5 Janvier 2007 15:45, vous avez écrit :
>> Victor Stinner wrote:
>>> I heard that connection identifiers may disappear. Is it true? I like
>>> unique identifier because it's small (only 32 bits) and easy to
>>> manipulate. It's hard to identify a connection without such identifier.
>> Indeed, it's planned to get rid of the id. We resolved that the tuple
>> src/dst/port-src/port-dst/l3protonum/l4protonum is enough to identify a
>> conntrack.
>
> Hum, what is your motivation to remove identifiers? I will be harder to
> identify a connection: parameters to identify it depends on the layer 3 and
> layer 4 protocols. (src, dst, port-src, port-dst, l3protonum, l4protonum)
> doesn't work with ICMP (arguments type and code) :-/ And what about IPv6?
> What about other layer3 protocols?
The 'id' is not enough to uniquely identify a flow since it can wrap
around: in a scenario with long-time flows, this can result in two flows
with the same 'id'. The 'id' was introduced as a complement for the
tuple since we weren't sure that the tuple was enough to identify a
flow. After several discussions [1], we resolved that the tuple was enough.
For example, conntrackd uses the tuple and keeps the flows in a hash
table, but a different abstract data type could be used (trees).
> I'm working on pyctd and his PHP frontend. To kill a connection (or update a
> parameter like mark or (fixed) timeout), we just used his identifier.
Talking about pyctd, would you consider integrating this with conntrackd
[2]? That daemon has a statistics mode that can still be improved a lot:
Third party apps can request information such as the whole conntrack
table via UNIX sockets, this can be interesting in scenarios with
heavily loaded firewall since this will not interrupt packet processing
while dumping the conntrack table. Moreover, you can know the connection
lifetime, ie. when did the flow was created, something that is not
available in kernel space, and much more, for example, killing flows
with masks, and other stuff that in kernel space could be overkill. Of
course, this does not come without a price, per-connections counters are
not available. However, I think that the information source (ctnetlink
or conntrackd) for your statistics daemon could be a configurable
parameter, the sysadmin could choose what to use depending on his setup.
BTW, conntrackd doesn't output the flows in XML format yet, but with the
new API that is fairly easy to be implemented.
[1]
http://lists.netfilter.org/pipermail/netfilter-devel/2006-March/023877.html
[2] http://people.netfilter.org/pablo/conntrackd/
--
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Patch: add id to libnetfilter_conntrack XML export
2007-01-05 22:44 ` Pablo Neira Ayuso
@ 2007-01-11 13:00 ` Amin Azez
0 siblings, 0 replies; 4+ messages in thread
From: Amin Azez @ 2007-01-11 13:00 UTC (permalink / raw)
To: Victor Stinner; +Cc: netfilter-devel, Pablo Neira Ayuso
* Pablo Neira Ayuso wrote, On 05/01/07 22:44:
> Hi Victor,
>
> Victor Stinner wrote:
>> Le Vendredi 5 Janvier 2007 15:45, vous avez écrit :
>>> Victor Stinner wrote:
>>>> I heard that connection identifiers may disappear. Is it true? I like
>>>> unique identifier because it's small (only 32 bits) and easy to
>>>> manipulate. It's hard to identify a connection without such identifier.
>>> Indeed, it's planned to get rid of the id. We resolved that the tuple
>>> src/dst/port-src/port-dst/l3protonum/l4protonum is enough to identify a
>>> conntrack.
>> Hum, what is your motivation to remove identifiers? I will be harder to
>> identify a connection: parameters to identify it depends on the layer 3 and
>> layer 4 protocols. (src, dst, port-src, port-dst, l3protonum, l4protonum)
>> doesn't work with ICMP (arguments type and code) :-/ And what about IPv6?
>> What about other layer3 protocols?
>
> The 'id' is not enough to uniquely identify a flow since it can wrap
> around: in a scenario with long-time flows, this can result in two flows
> with the same 'id'. The 'id' was introduced as a complement for the
> tuple since we weren't sure that the tuple was enough to identify a
> flow. After several discussions [1], we resolved that the tuple was enough.
Storing start-time for a conntrack can be very useful, I do it, it's the
kind if thing that is likely to be useful for people who want to collect
conntrack data over netlink.
Start-time combined with the tuple makes a good unique id.
Sam
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-01-11 13:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-01-05 13:27 Patch: add id to libnetfilter_conntrack XML export Victor Stinner
2007-01-05 14:45 ` Pablo Neira Ayuso
[not found] ` <200701051618.09855.victor.stinner@inl.fr>
2007-01-05 22:44 ` Pablo Neira Ayuso
2007-01-11 13:00 ` Amin Azez
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.