Thermalcircle

climbing the thermals

User Tools

Site Tools

blog:linux:connection_tracking_3_state_and_examples

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
blog:linux:connection_tracking_3_state_and_examples [2021-08-23] – fixed last modification date Andrej Stenderblog:linux:connection_tracking_3_state_and_examples [2023-09-04] (current) – fix typo "UPD" -> "UDP" Andrej Stender
Line 1: Line 1:
-{{tag>linux netfilter conntrack nftables iptables}}+{{tag>linux kernel netfilter conntrack nftables iptables}}
 ====== Connection tracking (conntrack) - Part 3: State and Examples ====== ====== Connection tracking (conntrack) - Part 3: State and Examples ======
 ~~META: ~~META:
 date created = 2021-08-07  date created = 2021-08-07 
 ~~ ~~
- 
-~~NOTOC~~ 
  
 With this article series I like to take a closer look at the connection tracking subsystem of the Linux kernel, which provides the basis for features like stateful packet filtering and NAT. I refer to it as the “ct system” throughout the series. In this third article, I like to take a look at how the system analyzes and tracks the  state of a connection and in which way IPtables/Nftables rules can make use of that. I further present some practical examples for common protocols like ICMP, UDP and TCP. With this article series I like to take a closer look at the connection tracking subsystem of the Linux kernel, which provides the basis for features like stateful packet filtering and NAT. I refer to it as the “ct system” throughout the series. In this third article, I like to take a look at how the system analyzes and tracks the  state of a connection and in which way IPtables/Nftables rules can make use of that. I further present some practical examples for common protocols like ICMP, UDP and TCP.
Line 144: Line 142:
 ^ bit 14: ''IPS_OFFLOAD'' ^ ^ bit 14: ''IPS_OFFLOAD'' ^
 | <WRAP> | <WRAP>
-This tracked connection has been offloaded to flow table.+This tracked connection has been offloaded to a [[flowtables_1_a_netfilter_nftables_fastpath|flowtable]].
  
 ^ bit shown by conntrack command or proc file like this ^^ ^ bit shown by conntrack command or proc file like this ^^
Line 151: Line 149:
 ^ bit 15: ''IPS_HW_OFFLOAD'' ^ ^ bit 15: ''IPS_HW_OFFLOAD'' ^
 | <WRAP> | <WRAP>
-This tracked connection has been offloaded to hardware.+This tracked connection has been offloaded to hardware by a [[flowtables_1_a_netfilter_nftables_fastpath|flowtable]].
  
 ^ bit shown by conntrack command or proc file like this ^^ ^ bit shown by conntrack command or proc file like this ^^
Line 337: Line 335:
 ICMP //echo-request// and //echo-reply// traversing ct hook functions, ICMP //echo-request// and //echo-reply// traversing ct hook functions,
 causing tracked connection to be created and later deleted, causing tracked connection to be created and later deleted,
-showing state and timeout changes as those occur.+showing state and timeout changes as those occur (click to enlarge).
 </caption> </caption>
 </figure> </figure>
Line 349: Line 347:
 in its //tuples// to do that; see function ''[[https://elixir.bootlin.com/linux/v5.10.19/source/net/netfilter/nf_conntrack_proto_icmp.c#L27|icmp_pkt_to_tuple()]]''. in its //tuples// to do that; see function ''[[https://elixir.bootlin.com/linux/v5.10.19/source/net/netfilter/nf_conntrack_proto_icmp.c#L27|icmp_pkt_to_tuple()]]''.
  
-===== UPD Example =====+===== UDP Example =====
 This example demonstrates state changes of a tracked connection in case of a [[wp>Domain_Name_System|DNS]] //query// + //response//, as shown in Figure This example demonstrates state changes of a tracked connection in case of a [[wp>Domain_Name_System|DNS]] //query// + //response//, as shown in Figure
 {{ref>ctudpexmsgs}}. The client host sends a DNS //query// message to {{ref>ctudpexmsgs}}. The client host sends a DNS //query// message to
Line 388: Line 386:
 {{ :linux:nf-ct-udp-ex.png?direct&700 |}} {{ :linux:nf-ct-udp-ex.png?direct&700 |}}
 <caption> <caption>
-DNS //query// and //response// via UDP packets, traversing ct hook functions, causing tracked connection to be created and later deleted, showing state and timeout changes as those occur.+DNS //query// and //response// via UDP packets, traversing ct hook functions, causing tracked connection to be created and later deleted, showing state and timeout changes as those occur (click to enlarge).
 </caption> </caption>
 </figure> </figure>
Line 503: Line 501:
 {{ :linux:nf-ct-tcp-ex-hs.png?direct&700 |}} {{ :linux:nf-ct-tcp-ex-hs.png?direct&700 |}}
 <caption> <caption>
-TCP 3-way handshake: packets traversing ct hook functions, causing tracked connection to be created, confirmed, established and assured.+TCP 3-way handshake: packets traversing ct hook functions, causing tracked connection to be created, confirmed, established and assured (click to enlarge).
 </caption> </caption>
 </figure> </figure>
Line 510: Line 508:
 {{ :linux:nf-ct-tcp-ex-psh.png?direct&700 |}} {{ :linux:nf-ct-tcp-ex-psh.png?direct&700 |}}
 <caption> <caption>
-TCP payload data transfer: packets traversing ct hook functions, adjusting timeout depending on outstanding TCP ACK from peer.+TCP payload data transfer: packets traversing ct hook functions, adjusting timeout depending on outstanding TCP ACK from peer (click to enlarge).
 </caption> </caption>
 </figure> </figure>
Line 517: Line 515:
 {{ :linux:nf-ct-tcp-ex-fin.png?direct&700 |}} {{ :linux:nf-ct-tcp-ex-fin.png?direct&700 |}}
 <caption> <caption>
-TCP connection termination((TCP connection termination consists of two independent 2-way handshakes, which can result in 4 packets being exchanged. However, if both sides like to terminate simultaneously, then this can also result in just 3 packets, as shown here. I chose that shorter variant in this example, to prevent this figure from getting too big. ;-) )): packets traversing ct hook functions, causing timeout to be adjusted, after final timeout expiration, tracked connection is deleted. +TCP connection termination((TCP connection termination consists of two independent 2-way handshakes, which can result in 4 packets being exchanged. However, if both sides like to terminate simultaneously, then this can also result in just 3 packets, as shown here. I chose that shorter variant in this example, to prevent this figure from getting too big. ;-) )): packets traversing ct hook functions, causing timeout to be adjusted, after final timeout expiration, tracked connection is deleted (click to enlarge)
 </caption> </caption>
 </figure> </figure>
Line 539: Line 537:
   * [[https://conntrack-tools.netfilter.org/manual.html|The conntrack-tools user manual (Pablo Neira Ayuso, 2012)]]   * [[https://conntrack-tools.netfilter.org/manual.html|The conntrack-tools user manual (Pablo Neira Ayuso, 2012)]]
  
-//published 2021-08-07//, //last modified 2021-08-23//+//published 2021-08-07//, //last modified 2023-09-04//
  
blog/linux/connection_tracking_3_state_and_examples.1629715203.txt.gz · Last modified: 2021-08-23 by Andrej Stender