Re: Bug with conntracks created arbitrarily through netlink

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Luca Landi <l.landi@gif.it>,
	Netfilter Development Mailinglist
	<netfilter-devel@vger.kernel.org>
Subject: Re: Bug with conntracks created arbitrarily through netlink
Date: Wed, 24 Sep 2008 22:41:36 +0200	[thread overview]
Message-ID: <48DAA600.4010802@trash.net> (raw)
In-Reply-To: <1222287997.6546.22.camel@quasar>

Don't remove netfilter-devel from the CC list please.

Luca Landi wrote:
> Il giorno mer, 24/09/2008 alle 20.00 +0200, Patrick McHardy ha scritto:
> 
>> We're automatically enabling the be-liberal logic for picked up
>> connections nowadays,
> 
> Currently (as of 2.6.26.5) as well as on the ubuntu's kernel that's done
> only by tcp_new(), not by tcp_in_window()

Indeed. You're able to specify that flag from userspace though.

> However, my point is that in case of a manually created conntrack we
> could avoid enabling the be-liberal logic, because the subsystem _will_
> see the true first packet of the tracked connection eventually (the SYN
> in case of a tcp stream, but conceptually speaking the equivalent should
> apply to any proto), and thus should be able to set up proper tracking.
> Am I wrong?

No, thats correct. However the structure of the code doesn't allow
to do that easily since the ->new function is only called when
initializing a new conntrack at runtime. It might be possible to
move invocation up to resolve_normal_ct and make it dependant on
the connection state, it mainly depends on whether the other
functions called during initialization need that state from ->new.
They should not I think, but I haven't checked. Then you could also
invoke it based on some other condition controlable through ctnetlink.

next prev parent reply	other threads:[~2008-09-24 20:41 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-24 17:43 Bug with conntracks created arbitrarily through netlink Luca Landi
2008-09-24 18:00 ` Patrick McHardy
     [not found]   ` <1222287997.6546.22.camel@quasar>
2008-09-24 20:41     ` Patrick McHardy [this message]
2008-09-25  8:56       ` Luca Landi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48DAA600.4010802@trash.net \
    --to=kaber@trash.net \
    --cc=l.landi@gif.it \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.