Want to release 1.2.5 soon

Harald Welte laforge@gnumonks.org
Fri, 11 Jan 2002 21:00:16 +0100 

On Fri, Jan 11, 2002 at 12:15:35PM +0100, Jozsef Kadlecsik wrote:
> 
> At the netfilter-workshop Rusty proposed to remove the re-setting of
> the conntrack helper in ip_conntrack_alter_reply. In the
> to-be-released-anytime-newnat patch I went with this solution.

Exactly.

> > The only change in behaviour is that if you forward port 6667 to say 1234
> > and you have ip_conntrack_irc loaded but no helper for port 1234 the irc
> > helper is still the current helper for the connection even though it's
> > probably not a irc connection.
> 
> It depends on what is the intention in forwardin the port:
> 
> - original way: alter_reply looked up a new helper unconditionally.
> 
>   If someone forwards port 6667 to 1234 as non-standard IRC port, then
>   connection tracking will break if he/she forgets to define an irc
>   conntrack helper for port 1234 (too).
> 
> - Rusty's proposal: alter_reply doesn't assign a new helper at all
> 
>   Reversed: if someone forwards port 1234 to 6667 as IRC port, then
>   connection tracking will break if there is no irc conntrack helper on
>   port 1234.

I don't think that there's a big problem with that.  If we document the
behaviour and make people use the helper on port 1234, it should be 
clear enough.

> But! NAT sets the NAT helper always on the NATed port and this is
> confusing. Shouldn't NAT set it's helper on the original port?

mh. there's a good point on that.  I assume this is a clear mistake, 
which is not discovered in most cases since the port numbers are only
changed if there's no other way.

> What's your opinion?

What's the opinion of other core team members on that?

> > Oh it just struck me.. if I ftp a file and my client happens to choose
> > port 6667 as sourceport for the datatransfer, doesnt that mean that all
> > data will pass through the irc helper? that seems like a big waste of cpu.
> 
> Would it worth to use flags for expectation like
> SIMPLE_EXPECTED_CONNECTION and modify init_conntrack and ip_nat_setup_info
> to add the checking wether it's an expected connection without the flag
> set before assigning the helper? We would slow down a little bit *all*
> connections to speed up a very few special cases.

mh. Well. I don't think it's worth optimizing for very rare cases.

> Regards,
> Jozsef
-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)