Yasuyuki KOZAKAI wrote:
From: Patrick McHardy <kaber@xxxxxxxxx>
Date: Mon, 26 Jan 2009 14:11:37 +0100
Thank you. I understand why ICMPv6 packets are special here and
I agree to assign UNTRACKED to them. Indeed non-invertible tuple might
bring issues.
How about adding a flag to indicate that only one direction of
the tuple exists? It makes sense to support this for other kinds
of simplex flows as well in my opinion and it somewhat goes in the
same direction as the patch I talked about during the workshop
to have only a single tuple within the conntrack and have reply
tuples or potentially other tuples that relate to a connection
within the ct_extend area. And using NEW and having netlink
events seems more consistent to me.
It sounds good for long term solution. For now Eric's patch is enough,
I think.
OK, thanks.
And sorry, I don't remember your patch in detail since maybe nftables talk
was impressive to me ;) but it sounds that it will make easier to implement
a module to track protocols using broadcast.
:) Yes, that was one of the ideas. The other one was that f.i. protocols
like SIP don't actually care about the network identitities of their
flows and might send traffic related to a single logical connection on
multiple different flows. I'm hoping that allowing more than two tuples
per conntrack will help with proper tracking.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
