Question(s) - Re: [RELEASE] netlink for netfilter version 1.0.0

[J. Schulist]

On Wed, 14 Nov 2001, Patrick Schaaf wrote:

> I doubt that you could do correct window tracking this way, given the
> latency of state updates between two boxes. With window tracking
> somehow "relaxed" in a takeover situation, it should work out nicely.
> However, I don't see the advantage of going up to user level four times
> (two times on each box), for each conntrack state update. A dedicated
> kernel thread should do nicely.
> 
> You don't happen to have an example of a kernel thread using your
> nfnetlink interface?
> 

The nfnetlink API is sockets, so to using the struct socket opts would be
fine, though you would not gain much performance over a user
space application with this method. 

The second method would be to attach to the same notification hooks that
nfnetlink itself hooks to inside conntrack, this has better performance
but would require the kernel thread itself to discover what changed need
to be propagated.

The other way would be some combination of the both to get the best of
both worlds. Maybe hook directly to conntrack notification for events, and
use the socket opts for inputing the conntrck information.

Both methods are equally valid in my mind and really depend on the
preference of the person implementing the daemon.

Jay Schulist