Re: [PATCH] netfilter: nf_ct_expect: partially implement ctnetlink_change_expect

On Sun, May 06, 2012 at 06:51:45PM -0700, Kelvie Wong wrote:
> Hey Pablo,
> On Sun, May 6, 2012 at 4:09 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > You have to protect this with nf_conntrack_lock spinlock. See
> > net/netfilter/nf_conntrack_expect.c for expectation handling.
> ctnetlink_change_expect is not exported, and it is only called in
> ctnetlink_new_expect, which is protected by the spinlock.

You're right, I've overlooked this.

> >
> >>       return -EOPNOTSUPP;
> >
> > Now that we support expectation changing, this should be return 0.
> I can make this change.
> > We have two choices for this:
> >
> > a) rework the patch with the suggestion that I made.
> > b) add some NF_CT_EXPECT_FIXED_TIMEOUT flag like we have in the
> >   connection tracking. Thus, the expectation will not ever expire.
> >
> > I'd need to know more about how you're using this. Depending on that,
> > we can select a) or b).
> I think we need to do a). A fixed timeout won't work, as in some cases we
> need to extend the expectation (the server has asked to use the same port
> again, so we need to give it another 10 minutes, possibly indefinitely),
> whereas in other cases we can just safely let the expectation expire.
> I want to avoid leaving the expectation forever, but I can't know until I see
> the DCERPC traffic.

OK, then I'll take your patch. I'll mangle it to return 0 instead.

> > BTW, I'm working on finishing some user-space framework for developing
> > helper in user-space. My question is: would you be interested in
> > integrating your DCERPC helper into it?
> >
> > I expect to post some code soon, still working on it.
> I just need something to work right now (I'm going to use my original patch
> as-is, unless I made a grave error somewhere), but maybe in the future if
> it will ease maintenance.

I guess it will ease maintainance, really.
