Pablo Neira Ayuso wrote:
Patrick McHardy wrote:
Pablo Neira Ayuso wrote:
I think it would be better to keep the default timeout of
nf_ct_icmp_timeout even after the echo reply is received. Feel free
to correct me why early deleting of ICMP conntrack entries is needed,
or consider applying the following patch.
The only problem that I see is that you patch relaxes the current
checking that we're doing. I mean, for every packet in one direction we
only accept one ICMP reply packet. With your patch, we can accept more
than one packet in the reply direction.
Thats the intention, isn't it? :) I don't see a problem with this,
conntrack is supposed to accept valid responses and I don't think
its unreasonable to consider duplicate echo-replies as valid.
I only wanted to point with this patch we're doing more relaxed ICMP
tracking, but I'm fine with this.
BTW, with this patch, we can add state synchronization in conntrackd for
ICMP (some bits are still missing to support this). This is something
that I don't particularly find very useful, but some people have
requested this.
I guess this really helps for a "ping-demonstration" where you pull the
plug and the ping keeps running :)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
