On Tuesday 2015-10-27 17:35, Florian Westphal wrote: >> >> Good point, I'll look at this tomorrow. It should not be too hard to >> add this. > >Ahem. There are strings attached... :-/ > >So conntrack -L or conntrack -E do not enable connection tracking >if its not enabled (on current kernels). > >So one has to load ipv4/ipv6 etc tracker explicitly. > >Problem *after* patches is that this doesn't suffice. > >So old behaviour: >conntrack -E > >(nothing happens) >(modprobe nf_conntrack_ipv4) >(conntrack -E starts to display events) > >new behaviour: >(modprobe nf_conntrack_ipv4) >(conntrack -E doesn't display events since conntrack module doesn't > see packets due to lack of nf hooks). > >My first attempt to fix this was to hook into nfnetlink bind, >but that doesn't really work in a backwards-compatible fashion since >it only makes 'modprobe nf_conntrack_ipv4; conntrack -E' work, but >not nf_conntrack_ipv4 module load *after* a event listener is already >running. > >Other alternative is to request all the protocol trackers during >ctnetlink bind request but that sucks. > >Any suggestion? I don't really see a way out of this. I am thinking of something like echo +PROTO >/proc/net/.../nf_conntrack/bind echo -PROTO >/proc/net/.../nf_conntrack/bind That way, userspace can request enablement per netns. And nf_conntrack can do 1. call request_module to load it if not already in the system, 2. pin the particular nf_conntrack_PROTO module, with refcounting (try_module_get() and module_put(), one ref per netns). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
