Observed network packets, others represent internal management Tracked connection determined by the ct system based on analyzing While some of those bits represent the current status of the The table in Figure 3īelow explains this meaning in detail. Gives each of those bits a name and meaning. Of struct nf_conn and its least significant 16 bits are being used as statusĪnd management bits for the tracked connection. The variable status, depicted in Figure 2, is an integer member Network packet after traversing ct main hook function (priority -200), belonging to a tracked connection, status specifying internal connection status, ctinfo specifying connection state, direction of the packet relative to the connection and relation of the packet to the connection. There actually are two variables holding state information, each with slightly different semantics. In this article I like to dive a little deeper into this topic, connecting the dots between the implementation – the variables holding the state information within the ct system –, how this implementation behaves, and how things look like from the point of view of Iptables/Nftables and from the command line tool conntrack.įigure 2 gives an overview of the implementation variables involved here. #Iptables example -m conntrack -ctstate ESTABLISHED,RELATED I guess most people reading this are familiar with the usual syntax of Iptables/Nftables for matching against the state of tracked connections: However, this state probably is the most essential information produced by the ct system, because it provides the basis for components like Iptables/Nftables to make meaningful “stateful packet filtering” decisions. TCP) in the communication endpoints, as the ct system merely is an observer in the middle and has no access to endpoints or their internal states. This connection state maintained by the ct system is of course not the same as the actual state of a network protocol (like e.g. It does that by analyzing OSI layers 3 and 4 (and in certain cases also higher layers) of each packet. So far so good.įigure 1: Conntrack+ Defrag hook functions and Iptables chains registered with IPv4 Netfilter hooksĪs packets keep flowing, the ct system continuously analyzes each connection to determine its current state. These concepts are often referred to as stateful packet filtering or stateful packet inspection. Thereby it marks/categorizes the packet, so other components like Iptables/Nftables can make decisions based on that. For each IPv4/IPv6 packet which is traversing the ct hook functions in the Netfilter hooks (the ones with priority -200 see Figure 1), the ct system determines to which tracked connection that packet belongs to and initializes a pointer within the skb data structure of the packet to point to the according instance of struct nf_conn. To put things into context let's do a short recap of what I already described in detail in the previous articles of this series: The ct system maintains all connections which it is tracking in a central table and each tracked connection is being represented by an instance of struct nf_conn.
0 Comments
Leave a Reply. |