solved Re: missing conntrack protocol on updates

Amin Azez azez at ufomechanic.net
Thu Jun 16 18:11:34 CEST 2005 

I had mistakenly thought that ctnetlink_fill_info was the only place 
that constructed conntrack netlink packets but now I see that I had 
missed out ctnetlink_conntrack_event which tries to optimize away the 
protocol information if it has not changed but always outputs the tuple.

This seems a mistake because the tuple identifies the conntrack by IP 
and port and protocol, and as there is no medium term conntrack ID 
available the protocol will also be needed to trace the conntrack 
updates as.

Sam

Pablo Neira wrote:

> Hi Amin,
>
> Amin Azez wrote:
>
>> Of course as I am using a custom conntrack kernel module which also 
>> dumps out the mac addresses the fault could be here, I wondered if 
>> you would leave that grep running for a while to see if the fault is 
>> a general one?
>
> >
>
>> [UPDATE] src=192.168.0.252 dst=192.168.0.233 sport=80 dport=2118 
>> src=192.168.0.233 dst=192.168.0.252 sport=2118 dport=80 
>> timeout=432000 orig_packets=1 orig_bytes=52 reply_packets=1 
>> reply_bytes=52 src_mac=00:09:5b:bb:d2:aa dst_mac=00:01:02:12:c6:3a
>> [UPDATE] src=192.168.0.252 dst=192.168.0.233 sport=80 dport=2128 
>> src=192.168.0.233 dst=192.168.0.252 sport=2128 dport=80 
>> timeout=432000 orig_packets=1 orig_bytes=52 reply_packets=1 
>> reply_bytes=52 src_mac=00:09:5b:bb:d2:aa dst_mac=00:01:02:12:c6:3a
>> [UPDATE] src=192.168.0.252 dst=192.168.0.233 sport=80 dport=2133 
>> src=192.168.0.233 dst=192.168.0.252 sport=2133 dport=80 
>> timeout=432000 orig_packets=1 orig_bytes=52 reply_packets=1 
>> reply_bytes=52 src_mac=00:09:5b:bb:d2:aa dst_mac=00:01:02:12:c6:3a
>> [UPDATE] src=192.168.0.252 dst=192.168.0.233 sport=80 dport=2134 
>> src=192.168.0.233 dst=192.168.0.252 sport=2134 dport=80 
>> timeout=432000 orig_packets=1 orig_bytes=52 reply_packets=1 
>> reply_bytes=52 src_mac=00:09:5b:bb:d2:aa dst_mac=00:01:02:12:c6:3a
>
>
> This seems related to you hack. All those update messages tell me that 
> you are sending a netlink event message for every 
> IPCT_PROTINFO_VOLATILE event, aren't you? Maybe you're doing something 
> similar, I'd need to see the code anyway.

More information about the netfilter-devel mailing list