Skipping connection tracking for certain traffic types?

Skipping connection tracking for certain traffic types?

[Ville Mattila]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,


Correct me on this if I'm wrong: It is a feature of
Netfilter that whenever conntrack is registered in
kernel, then for example any UDP packet passing through
the firewall causes the state table to be consulted
resulting in either update of an old state entry if
found or creation of a new state.

Now if the description above holds we have a slight problem.

At our site, connection tracking would be the nice way to
handle the classic case of allowing responses to UDP
requests initating from our internal network. The problem
is that in the internal network there are several standalone
(a.k.a. non-forwarding) caching nameservers sending about 100
dns queries per second through the firewall in the worst case.
For us the default ip_conntrack_proto_udp.c timeout setting
of 30 seconds for unreplied UDP requests and 180 seconds
for assured streams could mean from 3 000 up to 18 000 state
entries for these dns requests alone.

This problem would be solved if it was possible with
Netfilter/iptables to skip connection tracking for some
rules (servers sending dns queries and replies to them in
our case), or better yet, not to track every connection by
default but only when requested per rule. Is this kind
of selective connection tracking possible already or will
it possibly become supported in future conntrack versions?


Best regards,
Ville

- -- 
Mr. Ville Mattila, vm@iki.fi, http://iki.fi/vm/

-----BEGIN PGP SIGNATURE-----

iD8DBQE+08FytUJlHUfTfMERAoqUAJ9IVa+SDTSH0RBpw62MQennyu2LfACgtbG0
xlVPrOV87drR5C4KidXjOgI=
=Me43
-----END PGP SIGNATURE-----

Skipping connection tracking for certain traffic types?

[Ville Mattila]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,


Correct me on this if I'm wrong: It is a feature of
Netfilter that whenever conntrack is registered in
kernel, then for example any UDP packet passing through
the firewall causes the state table to be consulted
basically resulting in either update of an old state
entry if found or creation of a new state.

Now if the description above holds we have a slight problem.

At our site, connection tracking would be the nice way to
handle the classic case of allowing responses to UDP
requests initating from our internal network. The problem
is that in the internal network there are several standalone
(a.k.a. non-forwarding) caching nameservers sending about 100
dns queries per second through the firewall in the worst case.
For us the default ip_conntrack_proto_udp.c timeout setting
of 30 seconds for unreplied UDP requests and 180 seconds
for assured streams could mean from 3 000 up to 18 000 state
entries for these dns requests alone.

This problem would be solved if it was possible with
Netfilter/iptables to skip connection tracking for some
rules (servers sending dns queries and replies to them in
our case), or better yet, not to track every connection by
default but only when requested per rule. Is this kind
of selective connection tracking possible already or will
it possibly become supported in future conntrack versions?


Best regards,
Ville

- --
Mr. Ville Mattila, vm@iki.fi, http://iki.fi/vm/

-----BEGIN PGP SIGNATURE-----

iD8DBQE+1HuDtUJlHUfTfMERAlu1AJ9+s5bD2uwP47M7GZSuh2vx6fooLgCfYsir
nIvIRSE8mdUbVgZ36cGrvEE=
=4/r4
-----END PGP SIGNATURE-----

Re: Skipping connection tracking for certain traffic types?

[Martin Josefsson]

On Wed, 2003-05-28 at 11:03, Ville Mattila wrote:

> This problem would be solved if it was possible with
> Netfilter/iptables to skip connection tracking for some
> rules (servers sending dns queries and replies to them in
> our case), or better yet, not to track every connection by
> default but only when requested per rule. Is this kind
> of selective connection tracking possible already or will
> it possibly become supported in future conntrack versions?

This has been supported for a long time. Look at userspace/raw.patch
in patch-o-matic.

-- 
/Martin

Re: Skipping connection tracking for certain traffic types?

[Julian Gomez]

On Tue, May 27, 2003 at 10:49:56PM +0300, Ville Mattila spoke thusly:
>Correct me on this if I'm wrong: It is a feature of Netfilter that
>whenever conntrack is registered in kernel, then for example any UDP
>packet passing through the firewall causes the state table to be consulted
>resulting in either update of an old state entry if found or creation of a
>new state.

I think there is a NOTRACK patch in p-o-m, but haven't checked really. I
kind of remember Henrik Nordstrom talking about it before, but a quick
websearch only turns up this.

http://lists.netfilter.org/pipermail/netfilter-devel/2001-September/
005541.html