blog:linux:connection_tracking_2_core_implementation
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
blog:linux:connection_tracking_2_core_implementation [2021-04-21] – added buzzword "conntrack" to header Andrej Stender | blog:linux:connection_tracking_2_core_implementation [2022-08-07] (current) – activated TOC Andrej Stender | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | {{tag> | + | {{tag> |
====== Connection tracking (conntrack) - Part 2: Core Implementation ====== | ====== Connection tracking (conntrack) - Part 2: Core Implementation ====== | ||
~~META: | ~~META: | ||
date created = 2021-04-11 | date created = 2021-04-11 | ||
~~ | ~~ | ||
- | |||
- | ~~NOTOC~~ | ||
With this article series I like to take a closer look at the connection tracking subsystem of the Linux kernel, which provides the basis for features like stateful packet filtering and NAT. | With this article series I like to take a closer look at the connection tracking subsystem of the Linux kernel, which provides the basis for features like stateful packet filtering and NAT. | ||
Line 15: | Line 13: | ||
===== Articles of the series ===== | ===== Articles of the series ===== | ||
- | * [[connection_tracking_1_modules_and_hooks|Connection tracking - Part 1: Modules and Hooks]] | + | * [[connection_tracking_1_modules_and_hooks|Connection tracking |
- | * [[connection_tracking_2_core_implementation|Connection tracking - Part 2: Core Implementation]] | + | * [[connection_tracking_2_core_implementation|Connection tracking |
- | * Connection tracking - Part 3: Connection States | + | * [[connection_tracking_3_state_and_examples|Connection tracking |
===== The ct table ===== | ===== The ct table ===== | ||
Line 74: | Line 72: | ||
===== Lookup existing connection ===== | ===== Lookup existing connection ===== | ||
- | Let's walk through the connection lookup in detail. In Figure {{ref> | + | Let's walk through the connection lookup in detail. In Figure {{ref> |
In this example I assume that the connection the TCP packet belongs to is already known and tracked by the ct system at this point. In other words, I assume that this is not the first packet of that connection which the ct system is seeing. | In this example I assume that the connection the TCP packet belongs to is already known and tracked by the ct system at this point. In other words, I assume that this is not the first packet of that connection which the ct system is seeing. | ||
Line 97: | Line 95: | ||
As you can see, it is '' | As you can see, it is '' | ||
This means the TCP packet in question is part of the // | This means the TCP packet in question is part of the // | ||
- | In step (6) function '' | + | In step (6) function '' |
===== Adding a new connection ===== | ===== Adding a new connection ===== | ||
Line 128: | Line 126: | ||
Step (5) is the exact same thing as step (6) in Figure {{ref> | Step (5) is the exact same thing as step (6) in Figure {{ref> | ||
initializing '' | initializing '' | ||
- | Finally now the OSI layer 4 protocol of the packet (in our example TCP) is being examined((That is done in function '' | + | Finally now the OSI layer 4 protocol of the packet (in our example TCP) is being examined((That is done in function '' |
<figure nfctadd2> | <figure nfctadd2> | ||
Line 221: | Line 219: | ||
deletion can occur if the network packet which triggered | deletion can occur if the network packet which triggered | ||
its creation is dropped before it reaches the //conntrack | its creation is dropped before it reaches the //conntrack | ||
- | " | + | " |
the '' | the '' | ||
deletion and it calls '' | deletion and it calls '' | ||
Line 237: | Line 235: | ||
is required for " | is required for " | ||
by a network packet and they either become " | by a network packet and they either become " | ||
- | still traversing the kernel network stack or they die together that same packet | + | still traversing the kernel network stack or they die together |
when it is being dropped.)). This means, usually each further network packet | when it is being dropped.)). This means, usually each further network packet | ||
- | traversing the main ct hook callbacks | + | traversing the main ct hook functions |
connection (=for which the lookup in the ct table finds a match), | connection (=for which the lookup in the ct table finds a match), | ||
will cause the timeout of that connection to be resetted/ | will cause the timeout of that connection to be resetted/ | ||
Line 289: | Line 287: | ||
But when and how often does the ct system actually check each tracked | But when and how often does the ct system actually check each tracked | ||
connection for expiration? Nearly all what I described so far happens within | connection for expiration? Nearly all what I described so far happens within | ||
- | the ct system' | + | the ct system' |
of the timeout however is to make a tracked connection expire, if no further | of the timeout however is to make a tracked connection expire, if no further | ||
traffic is detected for some time. Obviously that expiration checking | traffic is detected for some time. Obviously that expiration checking | ||
- | cannot be done in the hook callbacks. | + | cannot be done in the hook functions. |
The ct system uses the // | The ct system uses the // | ||
to run the garbage collecting function | to run the garbage collecting function | ||
Line 338: | Line 336: | ||
[[: | [[: | ||
if you bring this to my attention and of course I'll then fix my content asap accordingly. | if you bring this to my attention and of course I'll then fix my content asap accordingly. | ||
+ | |||
+ | ===== References ===== | ||
+ | * [[https:// | ||
+ | * [[http:// | ||
+ | * [[https:// | ||
+ | * [[http:// | ||
===== Continue with next article ===== | ===== Continue with next article ===== | ||
- | A third article is currently in the works. I'll place a link here once its finished. | + | [[connection_tracking_3_state_and_examples|Connection tracking (conntrack) - Part 3: State and Examples]] |
- | In that article, I plan to take a look at the set of states a tracked connection lives through during its life cycle and in which way Nftables rules make use of that. I'll further present practical examples which show the life cycle and state changes of tracked connections of common protocols like ICMP, TCP and UDP. | + | |
+ | |||
+ | //published 2021-04-11// | ||
blog/linux/connection_tracking_2_core_implementation.1618986276.txt.gz · Last modified: 2021-04-21 by Andrej Stender