From: Patrick McHardy <kaber@trash.net>
To: Ed W <lists@wildgooses.com>
Cc: Jan Engelhardt <jengelh@medozas.de>,
Netfilter Developer Mailing List
<netfilter-devel@vger.kernel.org>
Subject: Re: Possible conntrack/kernel bug - not catching certain ICMP packets
Date: Thu, 21 Jul 2011 11:14:36 +0200 [thread overview]
Message-ID: <4E27EDFC.6020007@trash.net> (raw)
In-Reply-To: <4E27E6B1.4030606@wildgooses.com>
On 21.07.2011 10:43, Ed W wrote:
> On 21/07/2011 07:16, Patrick McHardy wrote:
>> It's expected behaviour since ICMP packets related to an existing
>> connection don't refresh the connection and are not accounted.
>> I don't have an opinion on whether they should be accounted, I
>> guess you could argue both ways.
>
> Thanks for the feedback.
>
> I guess I was hoping that conntrack could be used for accurate bandwidth
> accounting, however, it seems to ignore this type of packet, so it's
> count is going to deviate from a simple interface byte counter?
Yes, but it's going to do that anyways since there are also packets
which can't be tracked, invalid packets, etc. Also conntrack doesn't
account for link layer headers and only for IPv4/v6 packets.
> I don't see the argument for *not* counting the bytes from the ICMP
> packet though? Surely the goal of conntrack is that everything is
> scooped into some connection? It seems like in this case conntrack
> labels this packet as belonging to the connection, BUT doesn't update
> the packet or byte counts - this seems like a half and half situation?
Well, you could just as well argue that someone is only interested
in the amount of bytes/packets which were actually transfered within
a connection. Since you mentioned interface counters, we also don't
account for ARP requests triggered by a connection.
I agree that it would be good to account for these packet *somewhere*.
> Thanks for replying - interested to hear the arguments against
> refreshing byte counts given that conntrack has already marked it as
> related?
Well, basically the related ICMP packets bypass protocol related
tracking, which is of course correct since they obviously shouldn't
be handled by f.i. TCP tracking, but this is where the accounting
happens.
next prev parent reply other threads:[~2011-07-21 9:14 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <4E202844.30602@wildgooses.com>
[not found] ` <4E241AB0.5060603@wildgooses.com>
2011-07-18 12:16 ` Possible conntrack/kernel bug - not catching certain ICMP packets Jan Engelhardt
2011-07-20 21:45 ` Ed W
2011-07-21 6:16 ` Patrick McHardy
2011-07-21 8:43 ` Ed W
2011-07-21 9:14 ` Patrick McHardy [this message]
2011-07-25 23:45 ` Jan Engelhardt
2011-07-26 13:00 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E27EDFC.6020007@trash.net \
--to=kaber@trash.net \
--cc=jengelh@medozas.de \
--cc=lists@wildgooses.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).