From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Patrick McHardy <kaber@trash.net>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 0/2] rework of userspace expectation support
Date: Thu, 21 Apr 2011 15:14:20 +0200 [thread overview]
Message-ID: <4DB02DAC.1070406@netfilter.org> (raw)
In-Reply-To: <4DAEE86A.6070800@trash.net>
On 20/04/11 16:06, Patrick McHardy wrote:
> Am 20.04.2011 14:10, schrieb Pablo Neira Ayuso:
>> I missed one point. We don't seem to increase the refcnt for unfulfilled
>> expectations.
>
> Yes, that's not necessary since unfulfilled expectations are cleaned
> up once the master is destroyed. Its just the ct->master pointer of
> an expected connection that takes a reference.
>
> I thought this is what your patches try to fix?
Yes, my patches add the helper extension to the conntrack by means of
the CT target. Thus, in the case of userspace helpers, the master
conntrack can store the list of unfulfilled expectations that it owns.
Sorry, I misunderstood your previous email, I thought you were telling
that we bump master's refcnt for unfulfilled expectation, you were
telling the opposite :-).
>> The following example shows a unfulfilled FTP expectation:
>>
>> # conntrack -L exp
>> 262 proto=6 src=192.168.1.128 dst=130.89.149.226 sport=0 dport=20412
>> conntrack v1.0.0 (conntrack-tools): 1 expectations have been shown.
>>
>> # conntrack -L
>> tcp 6 431979 ESTABLISHED src=192.168.1.128 dst=130.89.149.226
>> sport=37348 dport=21 packets=9 bytes=503 src=130.89.149.226
>> dst=192.168.1.128 sport=21 dport=37348 packets=8 bytes=564 [ASSURED]
>> mark=0 delta-time=29 use=1
>>
>> The use field of the master conntrack shows 1.
>>
>> So, I think that these patches are still the way to fix the problem with
>> the expectations created through ctnetlink.
>
> Just for my understanding, why not simply take the reference for
> the master conntrack for "fulfilled" expectations (IOW conntracks
> that have a master assigned), which is necessary anyways since
> destroy_conntrack() attempts to release that reference again, and
> clean up userspace expectations once the master conntrack vanishes?
That's fine to me.
> This would match what we do for kernel expectations and I don't
> really see why we would want to keep an unfulfilled userspace
> expectation without the corresponding master.
Agreed.
Then, we need to allocate the conntrack helper extension to store the
list of unfulfilled expectations, which is what my patches do.
next prev parent reply other threads:[~2011-04-21 13:14 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-12 21:59 [PATCH 0/2] rework of userspace expectation support Pablo Neira Ayuso
2011-04-12 21:59 ` [PATCH 1/2] netfilter: CT: allow to set userspace helper status flag Pablo Neira Ayuso
2011-04-12 21:59 ` [PATCH 2/2] netfilter: nf_ct_expect: rework userspace expectation support Pablo Neira Ayuso
2011-04-13 11:37 ` [PATCH 0/2] rework of " Patrick McHardy
2011-04-13 11:47 ` Pablo Neira Ayuso
2011-04-13 11:55 ` Patrick McHardy
2011-04-13 12:11 ` Pablo Neira Ayuso
2011-04-13 12:28 ` Patrick McHardy
2011-04-13 20:02 ` Pablo Neira Ayuso
2011-04-20 12:10 ` Pablo Neira Ayuso
2011-04-20 14:06 ` Patrick McHardy
2011-04-21 13:14 ` Pablo Neira Ayuso [this message]
2011-05-17 21:12 ` Sam Roberts
2011-06-13 21:57 ` Sam Roberts
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DB02DAC.1070406@netfilter.org \
--to=pablo@netfilter.org \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).