Eric Leblond wrote: >> There's a very easy and cheap way to handle this. The packets have >> sequence numbers and userspace should issues verdicts in ascending >> order anyways to avoid reordering. Just add something that will drop >> everything in the queue up to the sequence number contained in the >> netlink message. >> > > I don't think the described mechanism is generic enough to be a default > behaviour. It should be useful for projects like snort-inline but it > will really a problem for software like NuFW which are asynchronous by > design. > > In NuFW, packet authentication is triggered by a user message (signing > of packet is done is userspace). Thus the ordering of the answer depends > of the ordering of user messages. As NuFW authenticate packet at network > scale (there is thus plenty of users), it is not possible to assume that > the answer will be ordered. > > Thus, even if it could be useful, this mechanism should only be > activated by an explicit userspace query. Good point. The in-sequence handling is also only necessary per flow, so this definitely would need to be enabled explicitly. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
