Casual technical question about /etc/services

Dagmar d'Surreal dagmar.wants at nospam.com
Mon Mar 29 19:14:38 PST 2004


On Mon, 2004-03-29 at 19:45, Tarek W. wrote:
> On Thu, 2004-03-25 at 20:46, Dagmar d'Surreal wrote: [snipped]
> > Actually, I've just been assuming that because it "just works" over
> > here, but I'm still in the dark about one thing... Is it /necessary/ to
> > have the state matching module invoked on the OUTPUT chain in a manner
> > that causes it to "become aware of" the outgoing UDP packets so that it
> > can match ESTABLISHED,RELATED for the return packets, or it this just a
> > fixed overhead "cost" on all traffic from loading the state matching
> > module?  I haven't seen this issue explicitly documented yet, and I've
> > been looking.
> 
> a couple of points u should be aware of:
> 
> 1) state matching is only possible with the help of ip_conntrack

Yep.  This much I'm definitely aware of.

> 2) ip_conntrack is either loaded by explicitely using "-m state" in an
> iptables rule or by manually loading it

I generally trust that kmod will do the necessary things.  I still don't
see why so many people's scripts forcibly load those modules, aside from
just being too lazy to specify only the ones that have to be loaded
manually (like the IRC and FTP masqing modules).  *sigh*

> 3) if ip_conntrack is loaded, it tracks all packets in the *hooks*
> PRE_ROUTING and LOCAL_OUT to "mark" entries with connection states

Ahh... That's the missing piece to the puzzle.  The grey area is right
there in your sentence... "connection states".  Since UDP is
connectionless, I was baffled as to why I was seeing people invoke that
module for NEW packets going as UDP.  _All_ outgoing UDP should match
NEW, but I didn't know whether or not ip_conntrack watched _all_
traffic, or just the traffic that a rule is explicitly given for.  Since
it's the former case, then it wouldn't appear to be a problem to have a
rule to match state NEW as opposed to just not bothering to mention the
state module in that invocation of iptables.

> however, there exists a patch in patch-o-matic-ng which adds a raw table
> and a NOTRACK target. u might want to investigate that for whatever
> purpose ur asking this.

Actually, I was trying to make sure that invoking the state matching
module explicitly for outgoing UDP traffic on particular ports wasn't
going to increase the overhead incurred by netfilter.  It looks like
that's not the case, but I'm sure we'll hear about it eventually if it
is the case.  Normally, even for clients I wouldn't care unless the
machine weren't carrying traffic at full speed, but I don't want people
going around making mealy-mouthed comments about how we "senselessly
waste clockcycles" or somesuch.
-- 
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org




More information about the hlfs-dev mailing list