Re: Conntrack in-kernel question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mar 5 2008 08:31, Oleg Petrov wrote:
>
>I'm working on kernel module used for network accounting and it's based
>on amazing netfilter connection tracking code. But I lack some information
>in nf_conn structure. Can you please advice what's preferable way of
>getting such information:
>
>1) In/out interface indices.
>More accurately, I'm interested in SNMP
>interface indices to export accounting information but I hadn't seen
>any interface stuff in conntrack code.

Conntrack does not deal with interfaces — that is a routing thing.
It would be perfectly valid to send an SNMP query out on eth0,
and receive the reply on eth1, while the re-reply goes out on eth2...

Hence conntrack only deals with <source address, destination address,
other bits like port numbers or for example ESP SPI indexes> tuples.
There is a dirty hack, which is skb->iif, but I would not rely on it.

>2) TCP connection flags and IP ToS (Type of Service).
>
>If this is not implemented in conntrack, please describe me preferable
>way for adding support of this into netfilter - and I'll do so.

TOS is not part of the unique tuple to identify a connection,
hence I do not think it should be used as such (though you are free
to do so, but I tell you, the result may not work).

Or you can — but again it only makes sense for learning nfct —
to force the same TOS bit on any connection (and if that is not
the case, drop it.)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux