Differences

This shows you the differences between two versions of the page.

--- blog:linux:connection_tracking_2_core_implementation [2021-07-17] – referring to "callbacks" now as "hook functions" Andrej Stender
+++ blog:linux:connection_tracking_2_core_implementation [2022-08-07] (current) – activated TOC Andrej Stender
@@ Line 1: / Line 1: @@
-{{tag>linux netfilter conntrack nftables iptables}}
+{{tag>linux kernel netfilter conntrack nftables iptables}}
 ====== Connection tracking (conntrack) - Part 2: Core Implementation ======
 ~~META:
 date created = 2021-04-11
 ~~
-~~NOTOC~~
 With this article series I like to take a closer look at the connection tracking subsystem of the Linux kernel, which provides the basis for features like stateful packet filtering and NAT.
@@ Line 18: / Line 15: @@
   * [[connection_tracking_1_modules_and_hooks|Connection tracking (conntrack) - Part 1: Modules and Hooks]]
   * [[connection_tracking_2_core_implementation|Connection tracking (conntrack) - Part 2: Core Implementation]]
-  * Connection tracking (conntrack) - Part 3: Connection States and Examples (coming soon)
+  * [[connection_tracking_3_state_and_examples|Connection tracking (conntrack) - Part 3: State and Examples]]
 ===== The ct table =====
@@ Line 238: / Line 235: @@
 is required for "unconfirmed" connections, because creation of those is triggered
 by a network packet and they either become "confirmed" while that same packet is
-still traversing the kernel network stack or they die together that same packet
+still traversing the kernel network stack or they die together with that same packet
 when it is being dropped.)). This means, usually each further network packet
 traversing the main ct hook functions which is identified to belong to a tracked
@@ Line 339: / Line 336: @@
 [[:feedback|Feedback]] to this article is very welcome! Please be aware that I'm not one of the developers of the ct system. I'm merely some developer who took a look at the source code and did some practical experimenting. If you find something which I might have misunderstood or described incorrectly here, then I would be very grateful,
 if you bring this to my attention and of course I'll then fix my content asap accordingly.
+===== References =====
+  * [[https://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO-4.html#ss4.3|Linux netfilter Hacking HOWTO: 4.3ff (Rusty Russell and Harald Welte, 2002)]]
+  * [[http://people.netfilter.org/pablo/docs/login.pdf|Netfilter’s connection tracking system (Pablo Neira Ayuso, 2006)]]
+  * [[https://wiki.aalto.fi/download/attachments/70789072/netfilter-paper-final.pdf|Netfilter Connection Tracking and NAT Implementation (Magnus Boye, 2012)]]
+  * [[http://arthurchiao.art/blog/conntrack-design-and-implementation/|Connection Tracking: Design and Implementation Inside Linux Kernel (Arthur Chiao, 2020)]]
 ===== Continue with next article =====
-A third article is currently in the works. I'll place a link here once its finished.
+[[connection_tracking_3_state_and_examples|Connection tracking (conntrack) - Part 3: State and Examples]]
-In that article, I plan to take a look at the set of states a tracked connection lives through during its life cycle and in which way Nftables rules make use of that. I'll further present practical examples which show the life cycle and state changes of tracked connections of common protocols like ICMP, TCP and UDP.
-//published 2021-04-11//, //last modified 2021-07-17//
+//published 2021-04-11//, //last modified 2022-08-07//