* can expectations be marked persistent, so they can match repeatedly until they timeout?
@ 2011-03-24 17:43 Sam Roberts
2011-03-28 11:27 ` Patrick McHardy
0 siblings, 1 reply; 3+ messages in thread
From: Sam Roberts @ 2011-03-24 17:43 UTC (permalink / raw)
To: Netfilter Developer Mailing List
I'm writing a userspace conntrack, using nfqueue and conntrack.
Creating expectations works fine, metfilter matches and allows the
expected connection.
However, unlike ftp, the negotiated ephemeral port is used by multiple
simultaneous tcp connections for some period. I'd like the expectation
to be kept in place until it times out, even when its matched.
I can create this effect by watching for the conntrack event
indicating the expectation was destroyed, and recreating it, but I'd
like to know if there is a better way.
Cheers,
Sam
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: can expectations be marked persistent, so they can match repeatedly until they timeout?
2011-03-24 17:43 can expectations be marked persistent, so they can match repeatedly until they timeout? Sam Roberts
@ 2011-03-28 11:27 ` Patrick McHardy
2011-03-29 18:54 ` Sam Roberts
0 siblings, 1 reply; 3+ messages in thread
From: Patrick McHardy @ 2011-03-28 11:27 UTC (permalink / raw)
To: Sam Roberts; +Cc: Netfilter Developer Mailing List
On 24.03.2011 18:43, Sam Roberts wrote:
> I'm writing a userspace conntrack, using nfqueue and conntrack.
>
> Creating expectations works fine, metfilter matches and allows the
> expected connection.
>
> However, unlike ftp, the negotiated ephemeral port is used by multiple
> simultaneous tcp connections for some period. I'd like the expectation
> to be kept in place until it times out, even when its matched.
>
> I can create this effect by watching for the conntrack event
> indicating the expectation was destroyed, and recreating it, but I'd
> like to know if there is a better way.
You should be able to use NF_CT_EXPECT_PERMANENT.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: can expectations be marked persistent, so they can match repeatedly until they timeout?
2011-03-28 11:27 ` Patrick McHardy
@ 2011-03-29 18:54 ` Sam Roberts
0 siblings, 0 replies; 3+ messages in thread
From: Sam Roberts @ 2011-03-29 18:54 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Netfilter Developer Mailing List
On Mon, Mar 28, 2011 at 4:27 AM, Patrick McHardy <kaber@trash.net> wrote:
> On 24.03.2011 18:43, Sam Roberts wrote:
>> I'm writing a userspace conntrack, using nfqueue and conntrack.
>> However, unlike ftp, the negotiated ephemeral port is used by multiple
>> simultaneous tcp connections for some period. I'd like the expectation
>> to be kept in place until it times out, even when its matched.
> You should be able to use NF_CT_EXPECT_PERMANENT.
Yes, that works perfectly. Thank you.
Sam
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-03-29 18:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-03-24 17:43 can expectations be marked persistent, so they can match repeatedly until they timeout? Sam Roberts
2011-03-28 11:27 ` Patrick McHardy
2011-03-29 18:54 ` Sam Roberts
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.