Follow packets in rules
Jozsef Kadlecsik
kadlec at blackhole.kfki.hu
Thu Jun 14 16:18:51 CEST 2007
Hi Patrick,
On Thu, 14 Jun 2007, Patrick McHardy wrote:
>> http://svn.netfilter.org/cgi-bin/viewcvs.cgi/old_stuff/netfilter/trunk/patch-o-matic/extra/TRACE.patch?rev=3069
>
> Yeah, it doesn't look too bad. Unfortunately it breaks userspace
> compatibility.
Sigh.
> How about just adding a new match that prints a user-supplied string for
> specially marked packets?
That'd be hard to use in practice: imagine, you have hundred of rules in
multiple, multilevel chains. You should have to modify all your rules and
add meaningful, different log strings to every one of them if you'd need
to check how given packets traverse the rules.
Also, it'd be about the same as writing a log match. But in longer term
we'd better support multiple targets instead of a log match.
The "beauty" of the TRACE target is that there is no need to tweak the
rules: just "mark" the packets (we don't use the standard mark, so we
cannot clash with any rule) you are interested in to check how they
traverse the rulesets and that's all. Simple and clean.
An earlier version of the patch did not suffer from backward
incompatibility: when we hit a marked packet and a matched rule, it
searched the chain name and computed the rule number internally. But it
can slow down packet processing if there are many matching rules and large
number of rules in the chains so I introduced stored rulenumbers. What
about going back to that approach? Tracing packets should not be
considered as normal (and thus performance efficient) mode.
Best regards,
Jozsef
-
E-mail : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
More information about the netfilter-devel
mailing list