From: Patrick McHardy <kaber@xxxxxxxxx> Date: Mon, 26 Jan 2009 14:11:37 +0100 > Yasuyuki KOZAKAI wrote: > > From: Eric Leblond <eric@xxxxxx> > > Date: Fri, 23 Jan 2009 11:51:30 +0100 > > > >>> I prefer 'NEW' rather than 'UNTRACKED' as other protocols which > >>> validation is unclear. So another solution is to let the connection > >>> tracking subsystem to create a new conntrack and to make > >>> nf_contrack_proto_icmpv6 assign 0 as timeout. How do you think ? > >> If we do that, we can have nfnetlink messages (NEW, DESTROY) send to > >> userspace. Personnaly, I don't think they are necessary. But there is an > >> other issue: as we can't invert the tuple, the information provided to > >> userspace will be false. > >> > >> Once we agree on this last point, I will send a reworked patchset (with > >> at least the removal of sysctl stuff). > > > > Thank you. I understand why ICMPv6 packets are special here and > > I agree to assign UNTRACKED to them. Indeed non-invertible tuple might > > bring issues. > > How about adding a flag to indicate that only one direction of > the tuple exists? It makes sense to support this for other kinds > of simplex flows as well in my opinion and it somewhat goes in the > same direction as the patch I talked about during the workshop > to have only a single tuple within the conntrack and have reply > tuples or potentially other tuples that relate to a connection > within the ct_extend area. And using NEW and having netlink > events seems more consistent to me. It sounds good for long term solution. For now Eric's patch is enough, I think. And sorry, I don't remember your patch in detail since maybe nftables talk was impressive to me ;) but it sounds that it will make easier to implement a module to track protocols using broadcast. -- Yasuyuki Kozakai -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
