From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH v2 nf-next 0/9] netfilter: don't copy initns hooks to new namespaces
Date: Thu, 29 Oct 2015 21:35:51 +0100 [thread overview]
Message-ID: <20151029203551.GA1883@salvia> (raw)
In-Reply-To: <20151027163552.GC9420@breakpoint.cc>
Hi Florian,
On Tue, Oct 27, 2015 at 05:35:52PM +0100, Florian Westphal wrote:
> Ahem. There are strings attached... :-/
>
> So conntrack -L or conntrack -E do not enable connection tracking
> if its not enabled (on current kernels).
>
> So one has to load ipv4/ipv6 etc tracker explicitly.
>
> Problem *after* patches is that this doesn't suffice.
>
> So old behaviour:
> conntrack -E
>
> (nothing happens)
> (modprobe nf_conntrack_ipv4)
> (conntrack -E starts to display events)
>
> new behaviour:
> (modprobe nf_conntrack_ipv4)
> (conntrack -E doesn't display events since conntrack module doesn't
> see packets due to lack of nf hooks).
>
> My first attempt to fix this was to hook into nfnetlink bind,
> but that doesn't really work in a backwards-compatible fashion since
> it only makes 'modprobe nf_conntrack_ipv4; conntrack -E' work, but
> not nf_conntrack_ipv4 module load *after* a event listener is already
> running.
So conntrack -L currently uses NFPROTO_UNSPEC by default and from
conntrack -E we subscribe to the generic groups.
> Other alternative is to request all the protocol trackers during
> ctnetlink bind request but that sucks.
Agreed, that sucks :).
> Any suggestion? I don't really see a way out of this.
We can probably register the hooks from ctnetlink based on what we
already have, ie. if nf_conntrack_ipv4 is loaded and someone runs
conntrack -E (or whatever custom application to listen to events),
then we get the hooks registered.
On top of that, assuming someone modprobes nf_conntrack_ipv6 later on,
we'll have to iterate over the list of netns available and register
the hooks if anyone is already listening to events as well.
Remember we also now also have nfnetlink_log and _queue integration
with conntrack, there we should register the hooks too in case the
userspace application.
Another possible solution: We add a sysctl switch to the core that
indicates if conntrack/defrag hooks are enabled by default (should be
1 to maintain backward compatility).
When unset, the user needs to explicitly indicate:
iptables -I ... -j CT --track
that we want connection tracking, so we stop playing guess games,
which (although transparent) seems a bit fragile to me.
The second path is something that we need to explore anyway for nft as
you indicated in your previous email, so this can probably solve the
problem both for iptables and nft in a more generic way.
Will be giving another spin to this tomorrow, just arrived from a long
trip.
Thanks!
next prev parent reply other threads:[~2015-10-29 20:28 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-23 10:43 [PATCH v2 nf-next 0/9] netfilter: don't copy initns hooks to new namespaces Florian Westphal
2015-10-23 10:43 ` [PATCH v2 nf-next 1/9] netfilter: ingress: don't use nf_hook_list_active Florian Westphal
2015-11-06 18:33 ` Pablo Neira Ayuso
2015-10-23 10:43 ` [PATCH v2 nf-next 2/9] netfilter: add and use nf_ct_netns_get/put Florian Westphal
2015-10-23 10:43 ` [PATCH v2 nf-next 3/9] netfilter: conntrack: register hooks in netns when needed by ruleset Florian Westphal
2015-10-23 10:43 ` [PATCH v2 nf-next 4/9] netfilter: xtables: don't register xt hooks in namespace at init time Florian Westphal
2015-10-23 10:43 ` [PATCH v2 nf-next 5/9] netfilter: defrag: only register defrag functionality if needed Florian Westphal
2015-10-23 10:43 ` [PATCH v2 nf-next 6/9] netfilter: nat: add dependencies on conntrack module Florian Westphal
2015-10-23 10:43 ` [PATCH v2 nf-next 7/9] netfilter: bridge: register hooks only when bridge is added Florian Westphal
2015-10-23 10:43 ` [PATCH v2 nf-next 8/9] netfilter: don't call nf_hook_state_init/_hook_slow unless needed Florian Westphal
2015-10-23 10:43 ` [PATCH v2 nf-next 9/9] nftables: add conntrack dependencies for nat/masq/redir expressions Florian Westphal
2015-10-26 22:55 ` [PATCH v2 nf-next 0/9] netfilter: don't copy initns hooks to new namespaces Pablo Neira Ayuso
2015-10-26 23:09 ` Florian Westphal
2015-10-27 16:35 ` Florian Westphal
2015-10-28 12:39 ` Jan Engelhardt
2015-10-29 20:35 ` Pablo Neira Ayuso [this message]
2015-10-29 22:13 ` Florian Westphal
2015-11-02 13:00 ` Florian Westphal
2015-11-24 10:27 ` Pablo Neira Ayuso
2015-11-24 10:59 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151029203551.GA1883@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).