blog:linux:connection_tracking_1_modules_and_hooks
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
blog:linux:connection_tracking_1_modules_and_hooks [2021-07-21] – explained connection confirm mechanism in more detail Andrej Stender | blog:linux:connection_tracking_1_modules_and_hooks [2023-08-15] (current) – improved/fixed some statements, typos Andrej Stender | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | {{tag> | + | {{tag> |
====== Connection tracking (conntrack) - Part 1: Modules and Hooks ====== | ====== Connection tracking (conntrack) - Part 1: Modules and Hooks ====== | ||
~~META: | ~~META: | ||
date created = 2021-04-04 | date created = 2021-04-04 | ||
~~ | ~~ | ||
- | |||
- | ~~NOTOC~~ | ||
- | |||
With this article series I like to take a closer look at the connection tracking subsystem of the Linux kernel, | With this article series I like to take a closer look at the connection tracking subsystem of the Linux kernel, | ||
Line 16: | Line 13: | ||
* [[connection_tracking_1_modules_and_hooks|Connection tracking (conntrack) - Part 1: Modules and Hooks]] | * [[connection_tracking_1_modules_and_hooks|Connection tracking (conntrack) - Part 1: Modules and Hooks]] | ||
* [[connection_tracking_2_core_implementation|Connection tracking (conntrack) - Part 2: Core Implementation]] | * [[connection_tracking_2_core_implementation|Connection tracking (conntrack) - Part 2: Core Implementation]] | ||
- | * Connection tracking (conntrack) - Part 3: Connection States | + | * [[connection_tracking_3_state_and_examples|Connection tracking (conntrack) - Part 3: State and Examples]] |
===== Overview ===== | ===== Overview ===== | ||
What is the purpose of connection tracking and what does it do? Once activated, connection tracking (the ct system inside the Linux kernel) examines IPv4 and/or IPv6 network packets and their payload, with the intention to determine which packets are associated with each other, e.g. in the scope of a connection-oriented protocol like TCP. The ct system performs this task as a transparent observer and does not take active part in the communication between endpoints. It is not relevant for the ct system, whether the endpoints of a connection are local or remote. They could be located on remote hosts, in which case the ct system would observe them while running on a host which merely is routing or bridging the packets of a particular connection. Alternatively, | What is the purpose of connection tracking and what does it do? Once activated, connection tracking (the ct system inside the Linux kernel) examines IPv4 and/or IPv6 network packets and their payload, with the intention to determine which packets are associated with each other, e.g. in the scope of a connection-oriented protocol like TCP. The ct system performs this task as a transparent observer and does not take active part in the communication between endpoints. It is not relevant for the ct system, whether the endpoints of a connection are local or remote. They could be located on remote hosts, in which case the ct system would observe them while running on a host which merely is routing or bridging the packets of a particular connection. Alternatively, | ||
- | The ct system maintains an up-to-date (live) list of all tracked connections. Based on that it " | + | The ct system maintains an up-to-date (live) list of all tracked connections. Based on that it " |
The ct system itself does never alter/ | The ct system itself does never alter/ | ||
Line 36: | Line 33: | ||
nft add rule ip filter forward iif eth0 ct state established accept | nft add rule ip filter forward iif eth0 ct state established accept | ||
</ | </ | ||
- | < | + | < |
<code bash> | <code bash> | ||
nft add table ip filter | nft add table ip filter | ||
Line 78: | Line 75: | ||
===== Netfilter hooks ===== | ===== Netfilter hooks ===== | ||
Like Iptables and Nftables, the ct system is built on top of the Netfilter framework. It implements hook functions to be able to observe network packets and registers those with the Netfilter hooks. | Like Iptables and Nftables, the ct system is built on top of the Netfilter framework. It implements hook functions to be able to observe network packets and registers those with the Netfilter hooks. | ||
- | If you are not yet very familiar with Netfilter hooks, better first take a look at my other article [[nftables_packet_flow_netfilter_hooks_detail|Nftables - Packet flow and Netfilter hooks in detail]], before proceeding here. From the bird's eye view, the famous | + | If you are not yet very familiar with Netfilter hooks, better first take a look at my other article [[nftables_packet_flow_netfilter_hooks_detail|Nftables - Packet flow and Netfilter hooks in detail]], before proceeding here. From the bird's eye view, the //Netfilter Packet Flow// image shown in Figure {{ref> |
<figure nfpackflowofficial> | <figure nfpackflowofficial> | ||
Line 88: | Line 85: | ||
===== Module nf_conntrack ===== | ===== Module nf_conntrack ===== | ||
- | Let's get back to the example above and take a look at the kernel module of the ct system | + | Let's get back to the example above and take a look at the kernel module of the ct system |
'' | '' | ||
- | The Nftables rules shown in the example above specify //address family// '' | + | The Nftables rules shown in Figure {{ref> |
<figure nfcthooks1> | <figure nfcthooks1> | ||
Line 103: | Line 100: | ||
==== The main ct hook functions ==== | ==== The main ct hook functions ==== | ||
- | The two hook functions which get registered with priority -200 in the // | + | The two hook functions which get registered with priority -200 in the // |
Line 123: | Line 120: | ||
specific use cases and I won't cover that topic in the scope of this first | specific use cases and I won't cover that topic in the scope of this first | ||
article. The second is to " | article. The second is to " | ||
- | I'll elaborate | + | I'll elaborate on what that means in the sections below. |
<WRAP round info> | <WRAP round info> | ||
Line 139: | Line 136: | ||
===== Modules nf_defrag_ipv4/ | ===== Modules nf_defrag_ipv4/ | ||
- | As shown above, module '' | + | As shown in Figure {{ref> |
<figure nfdefraghooks1> | <figure nfdefraghooks1> | ||
Line 148: | Line 145: | ||
Like the ct system itself, those defrag modules do not become globally active on module load. They export (=provide) functions '' | Like the ct system itself, those defrag modules do not become globally active on module load. They export (=provide) functions '' | ||
- | Figure {{ref> | + | Figure {{ref> |
This function is being registered as a hook function with the Netfilter // | This function is being registered as a hook function with the Netfilter // | ||
- | The ct system' | + | The ct system' |
===== Hooks Summary ===== | ===== Hooks Summary ===== | ||
Line 182: | Line 179: | ||
===== How it works... ===== | ===== How it works... ===== | ||
I know... so far I kept beating around the bush. Now let's finally talk about how the ct system actually operates and what it does to network packets traversing its hook functions. Please be aware that what I describe in this section are the basics and does not cover all what the ct system actually does. The ct system maintains the connections which it is tracking in a central table. Each tracked connection is represented by an instance of '' | I know... so far I kept beating around the bush. Now let's finally talk about how the ct system actually operates and what it does to network packets traversing its hook functions. Please be aware that what I describe in this section are the basics and does not cover all what the ct system actually does. The ct system maintains the connections which it is tracking in a central table. Each tracked connection is represented by an instance of '' | ||
- | - It is either | + | - It is either part of or related to one of its tracked connections. |
- | - It is the first packet of a new connection which is not yet tracked. | + | - It is the first seen packet of a connection which is not yet tracked. |
- It is an invalid packet, which is broken or doesn' | - It is an invalid packet, which is broken or doesn' | ||
- It is marked as NOTRACK, which tells the ct system to ignore it. | - It is marked as NOTRACK, which tells the ct system to ignore it. | ||
Line 203: | Line 200: | ||
Figure {{ref> | Figure {{ref> | ||
- | being part of an already tracked connection. When that packet traverses the main // | + | being part of an already tracked connection. When that packet traverses the main // |
Further, the OSI layer 4 protocol of the packet is now being analyzed and latest protocol state and details are saved to its tracked connection instance. Then the packet continues on its way through other hook functions and the network stack. Other kernel components, like Nftables with //CONNTRACK EXPRESSION// | Further, the OSI layer 4 protocol of the packet is now being analyzed and latest protocol state and details are saved to its tracked connection instance. Then the packet continues on its way through other hook functions and the network stack. Other kernel components, like Nftables with //CONNTRACK EXPRESSION// | ||
Line 219: | Line 216: | ||
being the first one representing a new connection which is not yet tracked by the ct system. | being the first one representing a new connection which is not yet tracked by the ct system. | ||
When that packet traverses the main // | When that packet traverses the main // | ||
- | it passes the already mentioned validity checks. However, in this case the lookup in the ct table (1) does not find a matching connection. As a result, the ct system considers the packet to be the first one of a new connection. A new instance of '' | + | it passes the already mentioned validity checks. However, in this case the lookup in the ct table (1) does not find a matching connection. As a result, the ct system considers the packet to be the first one of a new connection((To be precise: The first one the ct system has //seen// from that connection. That does not necessarily mean that this always must be the actual very first packet of a new connection, because there might be cases where the ct system for whatever reason did not see the first few packets of an actual connection and kind-of starts tracking in the middle of an already existing connection.)). A new instance of '' |
Further, the OSI layer 4 protocol of the packet is now being analyzed and protocol state and details are saved to its tracked connection instance. Then the packet continues on its way through other hook functions and the network stack. | Further, the OSI layer 4 protocol of the packet is now being analyzed and protocol state and details are saved to its tracked connection instance. Then the packet continues on its way through other hook functions and the network stack. | ||
Figure {{ref> | Figure {{ref> | ||
Line 225: | Line 222: | ||
But even if a client, who is trying to establish e.g. a TCP connection by sending a TCP SYN packet, is behaving normally, it would still send out several TCP SYN packets as retransmissions if it does not receive any reply from the peer side. Thus, if you have a '' | But even if a client, who is trying to establish e.g. a TCP connection by sending a TCP SYN packet, is behaving normally, it would still send out several TCP SYN packets as retransmissions if it does not receive any reply from the peer side. Thus, if you have a '' | ||
- | The third possibility is, that the ct system considers a packet as // | + | The third possibility is, that the ct system considers a packet as // |
However, it is not the job of the ct system to drop invalid packets((However, | However, it is not the job of the ct system to drop invalid packets((However, | ||
Line 278: | Line 275: | ||
* [[http:// | * [[http:// | ||
* [[http:// | * [[http:// | ||
+ | * [[https:// | ||
* [[https:// | * [[https:// | ||
* [[http:// | * [[http:// | ||
Line 285: | Line 283: | ||
- | //published 2021-04-04//, | + | //published 2021-04-04//, |
blog/linux/connection_tracking_1_modules_and_hooks.1626886902.txt.gz · Last modified: 2021-07-21 by Andrej Stender