lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 16 Jan 2013 14:26:24 +0100
From:	Florian Westphal <fw@...len.de>
To:	Jiri Pirko <jiri@...nulli.us>
Cc:	netdev@...r.kernel.org, davem@...emloft.net, rob@...dley.net,
	linux-doc@...r.kernel.org, kuznet@....inr.ac.ru, jmorris@...ei.org,
	yoshfuji@...ux-ipv6.org, pablo@...filter.org,
	netfilter-devel@...r.kernel.org, netfilter@...r.kernel.org,
	coreteam@...filter.org
Subject: Re: [patch net-next] doc: add nf_conntrack sysctl api documentation

Jiri Pirko <jiri@...nulli.us> wrote:
> I grepped through the code and picked bits about nf_conntrack sysctl api
> and put that into one documentation file.

Thanks a lot for doing this.  A few comments/suggestions below.

> +nf_conntrack_checksum - BOOLEAN
> +	0 - disabled
> +	not 0 - enabled (default)
> +
> +	Enable connection tracking checksuming.

Verify checksum of incoming packets.  Packets with bad checksum
will not be considered for connection tracking, i.e. such packets
will be in INVALID state.

> +nf_conntrack_events - BOOLEAN
> +	0 - disabled
> +	not 0 - enabled (default)
> +
> +	If this option is enabled, the connection tracking code will provide
> +	a notifier chain that can be used by other kernel code to get notified
> +	about changes in the connection tracking state.

If this option is enabled, the connection tracking code will
provide userspace with connection tracking events via ctnetlink.

[ The notifier call chain doesn't exist any more (ctnetlink was
the only user). ]

> +nf_conntrack_events_retry_timeout - INTEGER (seconds)
> +	default 15
> +
> +	Timeout after which destroy event will be delivered.

This option is only relevant when "reliable connection tracking
events" are used.  Normally, ctnetlink is "lossy", i.e. when
userspace listeners can't keep up, events are dropped.

Userspace can request "reliable event mode".  When this mode is
active, the conntrack will only be destroyed after the event was
delivered.  If event delivery fails, the kernel periodically
re-tries to send the event to userspace.

This is the maximum interval the kernel should use when re-trying
to deliver the destroy event.

Higher number means less delivery re-tries (but it will then take
longer for a backlog to be processed).

> +nf_conntrack_log_invalid - INTEGER
> +	0 - disabled (default)
> +	IPPROTO_RAW (log packets of any proto)
> +	IPPROTO_TCP
> +	IPPROTO_ICMP
> +	IPPROTO_ICMPV6
> +	IPPROTO_DCCP
> +	IPPROTO_UDP
> +	IPPROTO_UDPLITE
> +
> +	For values, see <linux/in.h>
> +
> +	Log invalid packets of a type specified by value.

I would write the numbers here, e.g:

Log invalid packets of a type specified by protocol number.
255 - log packets of any protocol
6 - log tcp
...
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ