target for modifying conntrack timeout value

Hi,

I wonder if there is a target to modify the conntrack timeout value. For
example, an established udp connection has a 180 seconds timeout value. It
is sufficient for most applications. However some need to have a higher
value. What I'd like is the ability to set the timeout value in the
conntrack.

Is there such a target already? If not, is it feasible?

Thanks,
Richard

Re: target for modifying conntrack timeout value

On Wednesday 01 December 2004 06:16, Richard wrote:

> I wonder if there is a target to modify the conntrack timeout value. For

  Its not a target, you just need to set it using sysctl;

sysctl -w net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=<timeout>
--

-- 
Regards,
Kiran Kumar Immidi

[PATCH] Remove netfilter warnings on copy_to_user

Name: Remove copy_to_user Warnings in Netfilter
Status: Trivial
Signed-off-by: Rusty Russell <rusty <at> rustcorp.com.au>

After changing firewall rules, we try to return the counters to
userspace.  We didn't fail at that point if the copy failed, but it
doesn't really matter.  Someone added a warn_unused_result attribute
to copy_to_user, so we get bogus warnings.

Index: linux-2.6.10-rc2-bk13-Netfilter/net/ipv4/netfilter/ip_tables.c
===================================================================
--- linux-2.6.10-rc2-bk13-Netfilter.orig/net/ipv4/netfilter/ip_tables.c	2004-11-30
12:45:23.000000000 +1100
+++ linux-2.6.10-rc2-bk13-Netfilter/net/ipv4/netfilter/ip_tables.c	2004-12-01
15:49:35.000000000 +1100
 <at>  <at>  -1141,12 +1141,12  <at>  <at> 
 	/* Decrease module usage counts and free resource */
 	IPT_ENTRY_ITERATE(oldinfo->entries, oldinfo->size, cleanup_entry,NULL);
 	vfree(oldinfo);
-	/* Silent error: too late now. */
-	copy_to_user(tmp.counters, counters,
-		     sizeof(struct ipt_counters) * tmp.num_counters);
+	if (copy_to_user(tmp.counters, counters,
+			 sizeof(struct ipt_counters) * tmp.num_counters) != 0)
+		ret = -EFAULT;
 	vfree(counters);
 	up(&ipt_mutex);
-	return 0;
+	return ret;

RE: target for modifying conntrack timeout value

This would change the timeout value for all udp conntrack. I'd like to have
more granular control, e.g. after match of certain ports or other
conditions.

Thanks,
Richard

> -----Original Message-----
> From: Kiran Kumar Immidi [mailto:immidi <at> spymac.com]
> Sent: Tuesday, November 30, 2004 5:51 PM
> To: Richard; netfilter-devel <at> lists.netfilter.org
> Subject: Re: target for modifying conntrack timeout value
> 
> On Wednesday 01 December 2004 06:16, Richard wrote:
> 
> > I wonder if there is a target to modify the conntrack timeout value. For
> 
>   Its not a target, you just need to set it using sysctl;
> 
> sysctl -w net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=<timeout>
> --
> Regards,
> Kiran Kumar Immidi

Re: target for modifying conntrack timeout value

Hello Richard,

> This would change the timeout value for all udp conntrack. I'd like to have
> more granular control, e.g. after match of certain ports or other
> conditions.

This does not exist, yet, for all I know.

It would require a new data field for each conntrack, "override_timeout".

And then, there would be the interesting question of what to do for
state changes. UDP is easy, but TCP has a load of states it goes
through when the session comes down. Each state transition is coupled
to a per-new-state timeout value. Now, if you give a specific override_timeout,
what to do with it when the next state transition occurs?

Finally, why do you think you need that? What is so special about your
setup that, after one UDP conntrack times out, the next packet for the
same pair of addresses cannot just create a new, equivalent conntrack?
That would be normal operation - what is different for you?

best regards
  Patrick

[PATCH 2.4 0/10] fixes for ip6tables

Hi, Patrick and all,

Sorry for long waiting. These fixes are backport from 2.6 .

Regards,

-----------------------------------------------------------------
Yasuyuki KOZAKAI  <at>  USAGI Project <yasuyuki.kozakai <at> toshiba.co.jp>

[PATCH 2.4 1/10]: fixes for ip6t_LOG

This patch fixes the following bugs in ip6t_LOG.c.

	- No check with skb->len. Then invalid memory access may occur.

	- If packet is fragmented and it's not first fragment, nonexistent
	  extension headers is tried to parse.

	- All headers which aren't TCP/UDP/ICMPv6 are treated as IPv6
	  extension header.

	- The encrypted data after ESP is tried to parse.

	- ntohl() for ID in Fragment header is missing.

	- If doff*4 of TCP header is less than sizeof(struct tcphdr),
	  TCP options are tried to parse.

Signed-off-by: Yasuyuki KOZAKAI <yasuyuki.kozakai <at> toshiba.co.jp>

-----------------------------------------------------------------
Yasuyuki KOZAKAI  <at>  USAGI Project <yasuyuki.kozakai <at> toshiba.co.jp>

--- linux-2.4.28-rc1/./net/ipv6/netfilter/ip6t_LOG.c	2004-11-10 00:47:10.000000000 +0900
+++ linux-2.4.28-rc1-extfix/./net/ipv6/netfilter/ip6t_LOG.c	2004-11-10 00:51:45.000000000 +0900
 <at>  <at>  -35,54 +35,40  <at>  <at>  struct in_device;
 	ntohs((addr).s6_addr16[6]), \
 	ntohs((addr).s6_addr16[7])

[PATCH 2.4 2/10]: fixes for ip6t_dst

This patch fixes the following bugs in ip6t_dst.c.

	- The cast of the pointer to the next IPv6 extension header is wrong.

	- hdrlen may underflow.

	- (u16)*optdesc causes to alignment problem.

	- The calculation of the offset to next option is wrong. In the case
	  that the type isn't 0, it should be "Opt Data Len" field + 2
	  (see RFC2460).

Signed-off-by: Yasuyuki KOZAKAI <yasuyuki.kozakai <at> toshiba.co.jp>

-----------------------------------------------------------------
Yasuyuki KOZAKAI  <at>  USAGI Project <yasuyuki.kozakai <at> toshiba.co.jp>

--- linux-2.4.28-rc1/./net/ipv6/netfilter/ip6t_dst.c	2003-06-13 23:51:39.000000000 +0900
+++ linux-2.4.28-rc1-extfix/./net/ipv6/netfilter/ip6t_dst.c	2004-11-10 00:51:45.000000000 +0900
 <at>  <at>  -11,8 +11,6  <at>  <at> 
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_opts.h>

-#define LOW(n)		(n & 0x00FF)
-
 #define HOPBYHOP	0

 EXPORT_NO_SYMBOLS;

[PATCH 2.4 3/10]: fixes for ip6t_esp

This patch fixes the check of ESP header size.

Signed-off-by: Yasuyuki KOZAKAI <yasuyuki.kozakai <at> toshiba.co.jp>

-----------------------------------------------------------------
Yasuyuki KOZAKAI  <at>  USAGI Project <yasuyuki.kozakai <at> toshiba.co.jp>

--- linux-2.4.28-rc1/./net/ipv6/netfilter/ip6t_esp.c	2003-08-25 20:44:44.000000000 +0900
+++ linux-2.4.28-rc1-extfix/./net/ipv6/netfilter/ip6t_esp.c	2004-11-10 00:51:45.000000000 +0900
 <at>  <at>  -22,6 +22,7  <at>  <at>  MODULE_AUTHOR("Andras Kis-Szabo <kisza <at> s

 struct esphdr {
 	__u32   spi;
+	__u32   seq_no;
 };

 /* Returns 1 if the spi is matched by the range, 0 otherwise */

[PATCH 2.4 4/10]: fixes for ip6t_eui64

According to report from Peter, user cannot insert rule with eui64 match
to FORWARD chain.

Signed-off-by: Yasuyuki KOZAKAI <yasuyuki.kozakai <at> toshiba.co.jp>

From: kisza <at> sch.bme.hu
Date: Sat, 09 Oct 2004 18:09:59 +0200

> Could you fix this problem in the next patch, please?
> There is a wrong condition at the loading :(
> 
> Thank you in advance,
> 
> Andras
> 
> From: Peter Ivancik <Peter.Ivancik <at> gympos.sk>
> Date: Sat, 09 Oct 2004 17:37:45 +0200
> > 
> > 
> > 
> > Hi again,
> > 
> > it looks, that there's problem in source code of ip6t_eui64.c file.
> > (linux/net/ipv6/netfilter/ip6t_eui64.c).
> > There's twice deffined PRE_ROUTING table and isn't there FORWARD table.
> > This is diff between original and modified version:
> > 61c61
> >  <               (1 << NF_IP6_PRE_ROUTING) )) {
> >    ---