From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Kelvie Wong <kelvie@ieee.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] netfilter: nf_ct_expect: partially implement ctnetlink_change_expect
Date: Mon, 7 May 2012 10:42:28 +0200 [thread overview]
Message-ID: <20120507084228.GA27334@1984> (raw)
In-Reply-To: <CAK2bC5rMTMMdepCUpv6oB17ez-LMp=ZUSXacomZXTiM1ZDB92w@mail.gmail.com>
On Sun, May 06, 2012 at 06:51:45PM -0700, Kelvie Wong wrote:
> Hey Pablo,
>
> On Sun, May 6, 2012 at 4:09 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > You have to protect this with nf_conntrack_lock spinlock. See
> > net/netfilter/nf_conntrack_expect.c for expectation handling.
>
> ctnetlink_change_expect is not exported, and it is only called in
> ctnetlink_new_expect, which is protected by the spinlock.
You're right, I've overlooked this.
> >
> >> return -EOPNOTSUPP;
> >
> > Now that we support expectation changing, this should be return 0.
>
> I can make this change.
>
> > We have two choices for this:
> >
> > a) rework the patch with the suggestion that I made.
> > b) add some NF_CT_EXPECT_FIXED_TIMEOUT flag like we have in the
> > connection tracking. Thus, the expectation will not ever expire.
> >
> > I'd need to know more about how you're using this. Depending on that,
> > we can select a) or b).
>
> I think we need to do a). A fixed timeout won't work, as in some cases we
> need to extend the expectation (the server has asked to use the same port
> again, so we need to give it another 10 minutes, possibly indefinitely),
> whereas in other cases we can just safely let the expectation expire.
>
> I want to avoid leaving the expectation forever, but I can't know until I see
> the DCERPC traffic.
OK, then I'll take your patch. I'll mangle it to return 0 instead.
> > BTW, I'm working on finishing some user-space framework for developing
> > helper in user-space. My question is: would you be interested in
> > integrating your DCERPC helper into it?
> >
> > I expect to post some code soon, still working on it.
>
> I just need something to work right now (I'm going to use my original patch
> as-is, unless I made a grave error somewhere), but maybe in the future if
> it will ease maintenance.
I guess it will ease maintainance, really.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-05-07 8:42 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-03 0:39 [RFC] Patches to allow updates of timeouts in expectations Kelvie Wong
2012-05-03 0:39 ` [PATCH] expect: support NFCT_Q_CREATE_UPDATE in nfexp_query Kelvie Wong
2012-05-03 0:39 ` [PATCH] netfilter: nf_ct_expect: partially implement ctnetlink_change_expect Kelvie Wong
2012-05-06 23:09 ` Pablo Neira Ayuso
2012-05-07 1:51 ` Kelvie Wong
2012-05-07 1:53 ` Kelvie Wong
2012-05-07 8:42 ` Pablo Neira Ayuso [this message]
2012-05-07 16:28 ` Kelvie Wong
2012-05-07 16:43 ` Kelvie Wong
2012-05-07 18:54 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120507084228.GA27334@1984 \
--to=pablo@netfilter.org \
--cc=kelvie@ieee.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).