From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Kevin Cernekee <cernekee@chromium.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: Snooping expected connections in a user CT helper
Date: Fri, 9 Sep 2016 00:18:24 +0200 [thread overview]
Message-ID: <20160908221824.GA28289@salvia> (raw)
In-Reply-To: <CAJzqFtZ0TGb3HtFLRzWxrjN7Un0zz_ioWPEQx1SzVZF2urgEig@mail.gmail.com>
Hi Kevin,
On Thu, Sep 08, 2016 at 03:02:13PM -0700, Kevin Cernekee wrote:
> On Thu, Sep 1, 2016 at 4:47 PM, Kevin Cernekee <cernekee@chromium.org> wrote:
> > The patch that I sent out last night is able to handle scenarios in
> > which the event occurs shortly after the subscription is established.
> > But in my testing I am noticing two other problems:
> >
> > 1) Approximately two minutes after the subscription is set up, the
> > expectation abruptly disappears. This even happens if I set the
> > timeout to 3600; it shows up in `conntrack -L expect` until the time
> > column drops to ~3480, then it is gone. This may be caused by the
> > master conntrack expiring. Is there a way to set up the expectation
> > so that it persists for the entire timeout period?
Yes, the expectation goes away if the master is gone. You can set a
larger timeout for the master using -j CT --timeout timeout-policy and
the cttimeout infrastructure.
You have to set the helper and the timeout in one go, ie.
-j CT --helper ssdp --timeout xyz
> > 2) The timeout is not extended when there is activity on the
> > expectation. It would be good if it was extended any time there is
> > new activity, in order to support long-lived subscriptions.
Actually, I thought permanent expectation has no timeout, but looking
at the code it seems they do. I think it makes sense to refresh it or
to keep it fixed, given that this depends on the master, it will just
go away once the master is not there anymore.
> Friendly ping...
>
> Do you think I'm on the right track with this approach, and if so,
> what is the best way to establish long-lived expectations for UPnP?
Yes, although I didn't look your code in deep, but I think you're on
the right track.
BTW, you may also want to explore enabling zero-copy in conntrackd
userspace helper (Eric Dumazet made a patch for nfqueue in 2013).
And you may need to cherry-pick b18bcb0019c to resolve an embarrasing
leak. Fell free to submit this to -stable and keep me on Cc.
Thanks!
next prev parent reply other threads:[~2016-09-08 22:18 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-17 4:51 Snooping expected connections in a user CT helper Kevin Cernekee
2016-08-18 1:12 ` Pablo Neira Ayuso
2016-08-23 3:34 ` Kevin Cernekee
2016-08-23 15:36 ` Pablo Neira Ayuso
2016-09-01 23:47 ` Kevin Cernekee
2016-09-08 22:02 ` Kevin Cernekee
2016-09-08 22:18 ` Pablo Neira Ayuso [this message]
2016-09-09 10:47 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160908221824.GA28289@salvia \
--to=pablo@netfilter.org \
--cc=cernekee@chromium.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).