* Skipping connection tracking for certain traffic types?
@ 2003-05-27 19:49 Ville Mattila
2003-05-31 7:18 ` Julian Gomez
0 siblings, 1 reply; 4+ messages in thread
From: Ville Mattila @ 2003-05-27 19:49 UTC (permalink / raw)
To: netfilter; +Cc: Ville Mattila
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello all,
Correct me on this if I'm wrong: It is a feature of
Netfilter that whenever conntrack is registered in
kernel, then for example any UDP packet passing through
the firewall causes the state table to be consulted
resulting in either update of an old state entry if
found or creation of a new state.
Now if the description above holds we have a slight problem.
At our site, connection tracking would be the nice way to
handle the classic case of allowing responses to UDP
requests initating from our internal network. The problem
is that in the internal network there are several standalone
(a.k.a. non-forwarding) caching nameservers sending about 100
dns queries per second through the firewall in the worst case.
For us the default ip_conntrack_proto_udp.c timeout setting
of 30 seconds for unreplied UDP requests and 180 seconds
for assured streams could mean from 3 000 up to 18 000 state
entries for these dns requests alone.
This problem would be solved if it was possible with
Netfilter/iptables to skip connection tracking for some
rules (servers sending dns queries and replies to them in
our case), or better yet, not to track every connection by
default but only when requested per rule. Is this kind
of selective connection tracking possible already or will
it possibly become supported in future conntrack versions?
Best regards,
Ville
- --
Mr. Ville Mattila, vm@iki.fi, http://iki.fi/vm/
-----BEGIN PGP SIGNATURE-----
iD8DBQE+08FytUJlHUfTfMERAoqUAJ9IVa+SDTSH0RBpw62MQennyu2LfACgtbG0
xlVPrOV87drR5C4KidXjOgI=
=Me43
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 4+ messages in thread
* Skipping connection tracking for certain traffic types?
@ 2003-05-28 9:03 Ville Mattila
2003-05-29 12:51 ` Martin Josefsson
0 siblings, 1 reply; 4+ messages in thread
From: Ville Mattila @ 2003-05-28 9:03 UTC (permalink / raw)
To: netfilter; +Cc: Ville Mattila
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello all,
Correct me on this if I'm wrong: It is a feature of
Netfilter that whenever conntrack is registered in
kernel, then for example any UDP packet passing through
the firewall causes the state table to be consulted
basically resulting in either update of an old state
entry if found or creation of a new state.
Now if the description above holds we have a slight problem.
At our site, connection tracking would be the nice way to
handle the classic case of allowing responses to UDP
requests initating from our internal network. The problem
is that in the internal network there are several standalone
(a.k.a. non-forwarding) caching nameservers sending about 100
dns queries per second through the firewall in the worst case.
For us the default ip_conntrack_proto_udp.c timeout setting
of 30 seconds for unreplied UDP requests and 180 seconds
for assured streams could mean from 3 000 up to 18 000 state
entries for these dns requests alone.
This problem would be solved if it was possible with
Netfilter/iptables to skip connection tracking for some
rules (servers sending dns queries and replies to them in
our case), or better yet, not to track every connection by
default but only when requested per rule. Is this kind
of selective connection tracking possible already or will
it possibly become supported in future conntrack versions?
Best regards,
Ville
- --
Mr. Ville Mattila, vm@iki.fi, http://iki.fi/vm/
-----BEGIN PGP SIGNATURE-----
iD8DBQE+1HuDtUJlHUfTfMERAlu1AJ9+s5bD2uwP47M7GZSuh2vx6fooLgCfYsir
nIvIRSE8mdUbVgZ36cGrvEE=
=4/r4
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Skipping connection tracking for certain traffic types?
2003-05-28 9:03 Ville Mattila
@ 2003-05-29 12:51 ` Martin Josefsson
0 siblings, 0 replies; 4+ messages in thread
From: Martin Josefsson @ 2003-05-29 12:51 UTC (permalink / raw)
To: Ville Mattila; +Cc: Netfilter
On Wed, 2003-05-28 at 11:03, Ville Mattila wrote:
> This problem would be solved if it was possible with
> Netfilter/iptables to skip connection tracking for some
> rules (servers sending dns queries and replies to them in
> our case), or better yet, not to track every connection by
> default but only when requested per rule. Is this kind
> of selective connection tracking possible already or will
> it possibly become supported in future conntrack versions?
This has been supported for a long time. Look at userspace/raw.patch
in patch-o-matic.
--
/Martin
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-05-31 7:18 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-05-27 19:49 Skipping connection tracking for certain traffic types? Ville Mattila
2003-05-31 7:18 ` Julian Gomez
-- strict thread matches above, loose matches on Subject: below --
2003-05-28 9:03 Ville Mattila
2003-05-29 12:51 ` Martin Josefsson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox