Skipping connection tracking for certain traffic types?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,


Correct me on this if I'm wrong: It is a feature of
Netfilter that whenever conntrack is registered in
kernel, then for example any UDP packet passing through
the firewall causes the state table to be consulted
basically resulting in either update of an old state
entry if found or creation of a new state.

Now if the description above holds we have a slight problem.

At our site, connection tracking would be the nice way to
handle the classic case of allowing responses to UDP
requests initating from our internal network. The problem
is that in the internal network there are several standalone
(a.k.a. non-forwarding) caching nameservers sending about 100
dns queries per second through the firewall in the worst case.
For us the default ip_conntrack_proto_udp.c timeout setting
of 30 seconds for unreplied UDP requests and 180 seconds
for assured streams could mean from 3 000 up to 18 000 state
entries for these dns requests alone.

This problem would be solved if it was possible with
Netfilter/iptables to skip connection tracking for some
rules (servers sending dns queries and replies to them in
our case), or better yet, not to track every connection by
default but only when requested per rule. Is this kind
of selective connection tracking possible already or will
it possibly become supported in future conntrack versions?


Best regards,
Ville

- --
Mr. Ville Mattila, vm@xxxxxx, http://iki.fi/vm/

-----BEGIN PGP SIGNATURE-----

iD8DBQE+1HuDtUJlHUfTfMERAlu1AJ9+s5bD2uwP47M7GZSuh2vx6fooLgCfYsir
nIvIRSE8mdUbVgZ36cGrvEE=
=4/r4
-----END PGP SIGNATURE-----


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux