On Fri, Feb 06, 2004 at 05:28:51PM +0000, T. Horsnell (tsh) wrote: > > I need to maintain a log of SNAT'd connections/disconnections > which contain the source/dest ip/port of the host before > SNAT'ing. As discussed on this list before, the POSTROUTING -j LOG > target doesnt provide this information, so I've written a crude > logger of my own. > > This logger is a perl script which does the following: please don't do it. frequent reading of /proc/net/ip_conntrack is not reliable and will slow down your firewall significantly. I recommend using ctnetlink for this kind of program. > What happens if the ip_conntrack data is being updated > at the instant /proc/net/ip_conntrack is being read? > Is there the possibility of a race condition here which > might explain what I'm seeing? Any suggestions welcome. yes, there almost certainly is one. > Cheers, > Terry. -- - Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
signature.asc
Description: Digital signature
