Follow packets in rules
Patrick McHardy
kaber at trash.net
Thu Jun 14 16:23:57 CEST 2007
Jozsef Kadlecsik wrote:
> Hi Patrick,
>
> On Thu, 14 Jun 2007, Patrick McHardy wrote:
>
>>> http://svn.netfilter.org/cgi-bin/viewcvs.cgi/old_stuff/netfilter/trunk/patch-o-matic/extra/TRACE.patch?rev=3069
>>>
>>
>>
>> Yeah, it doesn't look too bad. Unfortunately it breaks userspace
>> compatibility.
>
>
> Sigh.
>
>> How about just adding a new match that prints a user-supplied string
>> for specially marked packets?
>
>
> That'd be hard to use in practice: imagine, you have hundred of rules in
> multiple, multilevel chains. You should have to modify all your rules
> and add meaningful, different log strings to every one of them if you'd
> need to check how given packets traverse the rules.
>
> Also, it'd be about the same as writing a log match. But in longer term
> we'd better support multiple targets instead of a log match.
Indeed. I was thinking that iptables could automatically insert the
match into rules, so you wouldn't have to modify your ruleset.
But that could also be done with multiple targets.
> The "beauty" of the TRACE target is that there is no need to tweak the
> rules: just "mark" the packets (we don't use the standard mark, so we
> cannot clash with any rule) you are interested in to check how they
> traverse the rulesets and that's all. Simple and clean.
>
> An earlier version of the patch did not suffer from backward
> incompatibility: when we hit a marked packet and a matched rule, it
> searched the chain name and computed the rule number internally. But it
> can slow down packet processing if there are many matching rules and
> large number of rules in the chains so I introduced stored rulenumbers.
> What about going back to that approach? Tracing packets should not be
> considered as normal (and thus performance efficient) mode.
Yes, that sounds reasonable. Performance doesn't matter much for this.
More information about the netfilter-devel
mailing list