[NEW TARGET] target for modifying conntrack timeout value

Pablo Neira pablo at eurodev.net
Mon Dec 13 22:14:45 CET 2004


Richard wrote:

>  
>
>>-----Original Message-----
>>From: Richard [mailto:richard at o-matrix.org]
>>Sent: Wednesday, December 08, 2004 3:48 PM
>>To: 'Pablo Neira'
>>Cc: 'netfilter-devel at lists.netfilter.org'
>>Subject: RE: [NEW TARGET] target for modifying conntrack timeout value
>>
>>    
>>
>>>+                ct->timeout.expires = new_expires;
>>>                  ^^^
>>>
>>>Hm I thought that I told you to use ip_ct_refresh... you should. Your
>>>target will look smarter and you can forget about proper locking...
>>>which is now completely broken...
>>>      
>>>
>>Hi Pablo,
>>
>>Thanks for the comments. I made the modification and attached the latest
>>copy. Now it uses ip_ct_refresh. The target first reads the existing
>>expire value, then modify it. If there is something in between, the expire
>>value might get changed. Even worse, the conntrack state might change.
>>That's why I locked it first, then read and write, finally unlock. If it
>>is broken, there is no difference anyway...
>>
>>    
>>
>
>Just wonder if there is any update on this please...
>  
>

sorry, I'm busy as hell right now. But I'll go through it as soon as I
find some spare time. Reviewing your target is still in my todo list.
Please, be patient.

--
Pablo




More information about the netfilter-devel mailing list