Don't remove netfilter-devel from the CC list please.
Luca Landi wrote:
Il giorno mer, 24/09/2008 alle 20.00 +0200, Patrick McHardy ha scritto:
We're automatically enabling the be-liberal logic for picked up
connections nowadays,
Currently (as of 2.6.26.5) as well as on the ubuntu's kernel that's done
only by tcp_new(), not by tcp_in_window()
Indeed. You're able to specify that flag from userspace though.
However, my point is that in case of a manually created conntrack we
could avoid enabling the be-liberal logic, because the subsystem _will_
see the true first packet of the tracked connection eventually (the SYN
in case of a tcp stream, but conceptually speaking the equivalent should
apply to any proto), and thus should be able to set up proper tracking.
Am I wrong?
No, thats correct. However the structure of the code doesn't allow
to do that easily since the ->new function is only called when
initializing a new conntrack at runtime. It might be possible to
move invocation up to resolve_normal_ct and make it dependant on
the connection state, it mainly depends on whether the other
functions called during initialization need that state from ->new.
They should not I think, but I haven't checked. Then you could also
invoke it based on some other condition controlable through ctnetlink.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
