[Nufw-devel] Re: [PATCH 0/3] [RFC] fixed duration connection

[Eric Leblond]

Le mercredi 05 avril 2006 à 15:57 +0200, Patrick McHardy a écrit :
> Eric Leblond wrote:
> > Hi,
> > 
> > While working on NuFW development branch, we have had to
> > implement policy just as :
> >       * connection to server is authorised from 08h to 18h and
> >         connection must be switched off at 18h.
> > For this reason, we've worked on a simple kernel level implementation.
> > This is done via a second "struct timer" that is added in connection
> > structure. Activation of the timer, is for now done via userspace by
> > using libnetfilter_conntrack or by using new option -T of the conntrack
> > tool.
> 
> If I understand you correctly, a fixed timeout is just a timeout that
> isn't refreshed, right?

Yes, exactly. 

>  Why can't we just use the regular timers etc.
> and add a flag that it should not be touched by ip_ct_refresh? This
> would also eliminate the need for any ctnetlink changes since the
> timeout value can already be specified.

This was my first attempt and this may be the good one. In fact I switch
to a second timer because we may have a fixed timeout that exceeds the
protocol timeout. Thus, connection may be removed far too long after
what's needed. For example, we could have an UDP connection with fixed
timeout of a couple day which is more than protool timeout.
In fact, this approach can introduces an overload of conntrack but the
second timer approach may cost more in term of timer handling.

BR,
--
Eric Leblond <address@hidden>
NuFW : http://www.nufw.org

signature.asc
Description: Ceci est une partie de message numériquement signée