problem with conntrack utility and kernel 2.6.14
olenf at ans.pl
Tue Nov 1 11:29:30 CET 2005
On Tue, 1 Nov 2005, Pablo Neira wrote:
> You can't use -E together with -i. But I think that adding the conntrack ID
> to the event information that is dumped could be worth for accounting
> purposes, so I'll add this to my pending patches for ctnetlink, ok?
OK, thank you.
> You can't kill conntracks *just* by the ID. The connection tracking table
> currently uses the tuple information (source, destination, protocol
> information) to place the conntrack in hashes, same thing to perform lookups.
So, why do we need this conntrack ID? Only for userspace applications?
> Implementing the ability of killing conntracks just by its ID would be O(n),
> so we would need to walk through the buckets until we find a matching, not so
> good. Just a wild thought, how bad would be hashing the conntracks by its ID?
AFAIK quite bad since netfilter code really needs src/dst/proto hashing
when processing received packet.
> In that case we could implement this feature. So, currently you'll always
> need the information about the source, destination and protocol specific
> stuff together with the ID.
More information about the netfilter-devel