Yasuyuki KOZAKAI wrote:
From: Eric Leblond <eric@xxxxxx>
Date: Fri, 23 Jan 2009 11:51:30 +0100
I prefer 'NEW' rather than 'UNTRACKED' as other protocols which
validation is unclear. So another solution is to let the connection
tracking subsystem to create a new conntrack and to make
nf_contrack_proto_icmpv6 assign 0 as timeout. How do you think ?
If we do that, we can have nfnetlink messages (NEW, DESTROY) send to
userspace. Personnaly, I don't think they are necessary. But there is an
other issue: as we can't invert the tuple, the information provided to
userspace will be false.
Once we agree on this last point, I will send a reworked patchset (with
at least the removal of sysctl stuff).
Thank you. I understand why ICMPv6 packets are special here and
I agree to assign UNTRACKED to them. Indeed non-invertible tuple might
bring issues.
How about adding a flag to indicate that only one direction of
the tuple exists? It makes sense to support this for other kinds
of simplex flows as well in my opinion and it somewhat goes in the
same direction as the patch I talked about during the workshop
to have only a single tuple within the conntrack and have reply
tuples or potentially other tuples that relate to a connection
within the ct_extend area. And using NEW and having netlink
events seems more consistent to me.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
