![]() ![]() #Iptables example -m conntrack -ctstate ESTABLISHED,RELATED I guess most people reading this are familiar with the usual syntax of Iptables/Nftables for matching against the state of tracked connections: However, this state probably is the most essential information produced by the ct system, because it provides the basis for components like Iptables/Nftables to make meaningful “stateful packet filtering” decisions. TCP) in the communication endpoints, as the ct system merely is an observer in the middle and has no access to endpoints or their internal states. ![]() This connection state maintained by the ct system is of course not the same as the actual state of a network protocol (like e.g. It does that by analyzing OSI layers 3 and 4 (and in certain cases also higher layers) of each packet. So far so good.įigure 1: Conntrack+ Defrag hook functions and Iptables chains registered with IPv4 Netfilter hooksĪs packets keep flowing, the ct system continuously analyzes each connection to determine its current state. These concepts are often referred to as stateful packet filtering or stateful packet inspection. Thereby it marks/categorizes the packet, so other components like Iptables/Nftables can make decisions based on that. For each IPv4/IPv6 packet which is traversing the ct hook functions in the Netfilter hooks (the ones with priority -200 see Figure 1), the ct system determines to which tracked connection that packet belongs to and initializes a pointer within the skb data structure of the packet to point to the according instance of struct nf_conn. To put things into context let's do a short recap of what I already described in detail in the previous articles of this series: The ct system maintains all connections which it is tracking in a central table and each tracked connection is being represented by an instance of struct nf_conn.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |