Hi Todor, On 02/07/10 09:31, todor.gamishev@xxxxxxxxxxxxxxxxxx wrote: > Hi Pablo, > > Pablo Neira Ayuso a écrit : >> We are not synchronizing the expectation table but we do synchronize >> confirmed expectations that are attached to their master conntrack (I'm >> refering to the RELATED state in iptables). >> >> Expectations usually have a short lifetime and they occur in early >> stages of the flow establishment. I consider that synchronizing >> expectations do not help too much to improve availability under recovery >> situations but it requires extra computational resources for this. > > Thank you very much for replying to my mail so quickly. > > Yes I agree with you in some ways. However, I am working on SIP-capable > firewalls and the SIP Applicative Layer Gateway in netfilter > (nf_conntrack_sip) retrieves ports needed for the RTP traffic in the SIP > message body and adds them in the expectation table. So, when the Master > goes down the Backup doesn't know them and all RTP packets are dropped. Indeed, as for now (conntrack-tools 0.9.14) we don't support SIP yet, but it would require extra implementation work. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
