Thermalcircle

climbing the thermals

User Tools

Site Tools

blog:linux:connection_tracking_3_state_and_examples

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
blog:linux:connection_tracking_3_state_and_examples [2021-08-07] – created Andrej Stenderblog:linux:connection_tracking_3_state_and_examples [2023-09-04] (current) – fix typo "UPD" -> "UDP" Andrej Stender
Line 1: Line 1:
-{{tag>linux netfilter conntrack nftables iptables}} +{{tag>linux kernel netfilter conntrack nftables iptables}} 
-====== Connection tracking (conntrack) - Part 3: Connection State and Examples ======+====== Connection tracking (conntrack) - Part 3: State and Examples ======
 ~~META: ~~META:
 date created = 2021-08-07  date created = 2021-08-07 
 ~~ ~~
- 
-~~NOTOC~~ 
  
 With this article series I like to take a closer look at the connection tracking subsystem of the Linux kernel, which provides the basis for features like stateful packet filtering and NAT. I refer to it as the “ct system” throughout the series. In this third article, I like to take a look at how the system analyzes and tracks the  state of a connection and in which way IPtables/Nftables rules can make use of that. I further present some practical examples for common protocols like ICMP, UDP and TCP. With this article series I like to take a closer look at the connection tracking subsystem of the Linux kernel, which provides the basis for features like stateful packet filtering and NAT. I refer to it as the “ct system” throughout the series. In this third article, I like to take a look at how the system analyzes and tracks the  state of a connection and in which way IPtables/Nftables rules can make use of that. I further present some practical examples for common protocols like ICMP, UDP and TCP.
Line 12: Line 10:
   * [[connection_tracking_1_modules_and_hooks|Connection tracking (conntrack) - Part 1: Modules and Hooks]]   * [[connection_tracking_1_modules_and_hooks|Connection tracking (conntrack) - Part 1: Modules and Hooks]]
   * [[connection_tracking_2_core_implementation|Connection tracking (conntrack) - Part 2: Core Implementation]]   * [[connection_tracking_2_core_implementation|Connection tracking (conntrack) - Part 2: Core Implementation]]
-  * [[connection_tracking_3_state_and_examples|Connection tracking (conntrack) - Part 3: Connection State and Examples]]+  * [[connection_tracking_3_state_and_examples|Connection tracking (conntrack) - Part 3: State and Examples]]
  
 ===== Overview ===== ===== Overview =====
Line 56: Line 54:
 __Iptables/Nftables__: Some of those bits can be directly matched against by using conntrack expressions __Iptables/Nftables__: Some of those bits can be directly matched against by using conntrack expressions
 in Iptables/Nftables rules. The table in Figure {{ref>nfconnstatus_detail}} shows the exact syntax to do that for the bits which can be matched. Of course, if your chain is located in the Netfilter //Prerouting// or //Output// hook and your rule(s) are using these kind of expressions, then your chain must have a priority > -200, to make sure it is traversed by the network packets AFTER the ct main hook function (see Figure {{ref>nfhooks-complete1}}). You will probably recognize that the syntax used for those expressions is not the familiar syntax which is used in most common cases when intending to write stateful packet filtering rules. I'll get to that in the next section.  in Iptables/Nftables rules. The table in Figure {{ref>nfconnstatus_detail}} shows the exact syntax to do that for the bits which can be matched. Of course, if your chain is located in the Netfilter //Prerouting// or //Output// hook and your rule(s) are using these kind of expressions, then your chain must have a priority > -200, to make sure it is traversed by the network packets AFTER the ct main hook function (see Figure {{ref>nfhooks-complete1}}). You will probably recognize that the syntax used for those expressions is not the familiar syntax which is used in most common cases when intending to write stateful packet filtering rules. I'll get to that in the next section. 
-__Conntrack__: When you use userspace tool ''conntrack'' with option ''-L'' to list the currently tracked connections, then some of the status bits are shown in the resulting output. The table in Figure {{ref>nfconnstatus_detail}} explains which bits are shown and the syntax used for that.+__Conntrack__: When you use userspace tool ''conntrack'' with option ''-L'' to list the currently tracked connections or doing a ''cat'' on the file ''/proc/net/nf_conntrack'' to achieve the same thing, then some of the status bits are shown in the resulting output. The table in Figure {{ref>nfconnstatus_detail}} explains which bits are shown and the syntax used for that.
  
 <figure nfconnstatus_detail> <figure nfconnstatus_detail>
Line 84: Line 82:
 | Nftables | ''ct status seen_reply'' | | Nftables | ''ct status seen_reply'' |
 | Iptables | ''%%-m conntrack --ctstatus SEEN_REPLY%%'' | | Iptables | ''%%-m conntrack --ctstatus SEEN_REPLY%%'' |
-^ bit shown in output of command like this (negated!) ^^ +^ bit shown by conntrack command or proc file like this (negated!) ^^ 
-| ''conntrack -L'' |''[UNREPLIED]'' |+| ''conntrack -L''\\ ''cat /proc/net/nf_conntrack'' |''[UNREPLIED]'' |
 </WRAP> | </WRAP> |
 ^ bit 2: ''IPS_ASSURED''       ^ ^ bit 2: ''IPS_ASSURED''       ^
Line 94: Line 92:
 | Nftables | ''ct status assured'' | | Nftables | ''ct status assured'' |
 | Iptables | ''%%-m conntrack --ctstatus ASSURED%%'' | | Iptables | ''%%-m conntrack --ctstatus ASSURED%%'' |
-^ bit shown in output of command like this ^^ +^ bit shown by conntrack command or proc file like this ^^ 
-| ''conntrack -L'' |''[ASSURED]'' |+| ''conntrack -L''\\ ''cat /proc/net/nf_conntrack'' |''[ASSURED]'' |
 </WRAP> | </WRAP> |
 ^ bit 3: ''IPS_CONFIRMED'' ^ ^ bit 3: ''IPS_CONFIRMED'' ^
Line 144: Line 142:
 ^ bit 14: ''IPS_OFFLOAD'' ^ ^ bit 14: ''IPS_OFFLOAD'' ^
 | <WRAP> | <WRAP>
-This tracked connection has been offloaded to flow table.+This tracked connection has been offloaded to a [[flowtables_1_a_netfilter_nftables_fastpath|flowtable]].
  
-^ bit shown in output of command like this ^^ +^ bit shown by conntrack command or proc file like this ^^ 
-| ''conntrack -L'' |''[OFFLOAD]'' |+| ''conntrack -L''((You need version >= ''1.4.6'' of the ''conntrack'' tool to see this bit. It has been added in 2019-08-09 with this [[https://git.netfilter.org/conntrack-tools/commit/?id=de12e29bf35b1da51944c826beb34acf48d90289|git commit]].))\\ ''cat /proc/net/nf_conntrack'' |''[OFFLOAD]'' |
 </WRAP> | </WRAP> |
 ^ bit 15: ''IPS_HW_OFFLOAD'' ^ ^ bit 15: ''IPS_HW_OFFLOAD'' ^
 | <WRAP> | <WRAP>
-This tracked connection has been offloaded to hardware.+This tracked connection has been offloaded to hardware by a [[flowtables_1_a_netfilter_nftables_fastpath|flowtable]].
  
-^ bit shown in output of command like this ^^ +^ bit shown by conntrack command or proc file like this ^^ 
-| ''conntrack -L'' |''[HW_OFFLOAD]'' |+| ''conntrack -L''((You will need version >= ''1.4.7'' of the ''conntrack'' tool to see this bit, however that version has not yet been released by the time of writing! Support for showing this bit has been added in 2020-04-28 with this [[https://git.netfilter.org/conntrack-tools/commit/?id=2317c0de6080bd2ecc6c47c748cbaa309cd4eec5|git commit]].))\\ ''cat /proc/net/nf_conntrack'' |''[HW_OFFLOAD]'' |
 </WRAP> | </WRAP> |
 <caption> <caption>
Line 337: Line 335:
 ICMP //echo-request// and //echo-reply// traversing ct hook functions, ICMP //echo-request// and //echo-reply// traversing ct hook functions,
 causing tracked connection to be created and later deleted, causing tracked connection to be created and later deleted,
-showing state and timeout changes as those occur.+showing state and timeout changes as those occur (click to enlarge).
 </caption> </caption>
 </figure> </figure>
Line 349: Line 347:
 in its //tuples// to do that; see function ''[[https://elixir.bootlin.com/linux/v5.10.19/source/net/netfilter/nf_conntrack_proto_icmp.c#L27|icmp_pkt_to_tuple()]]''. in its //tuples// to do that; see function ''[[https://elixir.bootlin.com/linux/v5.10.19/source/net/netfilter/nf_conntrack_proto_icmp.c#L27|icmp_pkt_to_tuple()]]''.
  
-===== UPD Example =====+===== UDP Example =====
 This example demonstrates state changes of a tracked connection in case of a [[wp>Domain_Name_System|DNS]] //query// + //response//, as shown in Figure This example demonstrates state changes of a tracked connection in case of a [[wp>Domain_Name_System|DNS]] //query// + //response//, as shown in Figure
 {{ref>ctudpexmsgs}}. The client host sends a DNS //query// message to {{ref>ctudpexmsgs}}. The client host sends a DNS //query// message to
Line 388: Line 386:
 {{ :linux:nf-ct-udp-ex.png?direct&700 |}} {{ :linux:nf-ct-udp-ex.png?direct&700 |}}
 <caption> <caption>
-DNS //query// and //response// via UDP packets, traversing ct hook functions, causing tracked connection to be created and later deleted, showing state and timeout changes as those occur.+DNS //query// and //response// via UDP packets, traversing ct hook functions, causing tracked connection to be created and later deleted, showing state and timeout changes as those occur (click to enlarge).
 </caption> </caption>
 </figure> </figure>
Line 503: Line 501:
 {{ :linux:nf-ct-tcp-ex-hs.png?direct&700 |}} {{ :linux:nf-ct-tcp-ex-hs.png?direct&700 |}}
 <caption> <caption>
-TCP 3-way handshake: packets traversing ct hook functions, causing tracked connection to be created, confirmed, established and assured.+TCP 3-way handshake: packets traversing ct hook functions, causing tracked connection to be created, confirmed, established and assured (click to enlarge).
 </caption> </caption>
 </figure> </figure>
Line 510: Line 508:
 {{ :linux:nf-ct-tcp-ex-psh.png?direct&700 |}} {{ :linux:nf-ct-tcp-ex-psh.png?direct&700 |}}
 <caption> <caption>
-TCP payload data transfer: packets traversing ct hook functions, adjusting timeout depending on outstanding TCP ACK from peer.+TCP payload data transfer: packets traversing ct hook functions, adjusting timeout depending on outstanding TCP ACK from peer (click to enlarge).
 </caption> </caption>
 </figure> </figure>
Line 517: Line 515:
 {{ :linux:nf-ct-tcp-ex-fin.png?direct&700 |}} {{ :linux:nf-ct-tcp-ex-fin.png?direct&700 |}}
 <caption> <caption>
-TCP connection termination((TCP connection termination consists of two independent 2-way handshakes, which can result in 4 packets being exchanged. However, if both sides like to terminate simultaneously, then this can also result in just 3 packets, as shown here. I chose that shorter variant in this example, to prevent this figure from getting too big. ;-) )): packets traversing ct hook functions, causing timeout to be adjusted, after final timeout expiration, tracked connection is deleted. +TCP connection termination((TCP connection termination consists of two independent 2-way handshakes, which can result in 4 packets being exchanged. However, if both sides like to terminate simultaneously, then this can also result in just 3 packets, as shown here. I chose that shorter variant in this example, to prevent this figure from getting too big. ;-) )): packets traversing ct hook functions, causing timeout to be adjusted, after final timeout expiration, tracked connection is deleted (click to enlarge)
 </caption> </caption>
 </figure> </figure>
Line 539: Line 537:
   * [[https://conntrack-tools.netfilter.org/manual.html|The conntrack-tools user manual (Pablo Neira Ayuso, 2012)]]   * [[https://conntrack-tools.netfilter.org/manual.html|The conntrack-tools user manual (Pablo Neira Ayuso, 2012)]]
  
-//published 2021-08-07//, //last modified 2021-08-07//+//published 2021-08-07//, //last modified 2023-09-04//
  
blog/linux/connection_tracking_3_state_and_examples.1628365542.txt.gz · Last modified: 2021-08-07 by Andrej Stender