From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Paul Albert" Subject: connection tracking question Date: Wed, 12 May 2004 15:20:24 -0600 Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: <6A94CF724B046C4FB3434D14A49A58BF1CB7D3@pluto.rovingplanet.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C43866.F03F7161" Return-path: content-class: urn:content-classes:message To: Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org This is a multi-part message in MIME format. ------_=_NextPart_001_01C43866.F03F7161 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi -=20 =20 I hope that this is a quick question regarding when connection tracking happens in relation to iptables chains being traversed. =20 Specifically, I would like to know when the ESTABLISHED state is set in the kernel. I realize that it is when iptables sees an ACK of a SYN packet, for example, but if I have a firewall rule in the nat/PREROUTING chain that checks to ensure that the connection is ESTABLISHED, will the ACK packet cause the rule to be hit? Does the connection tracking take place before the mangle/PREROUTING chain? =20 I tried checking around the kernel code, but it wasn't immediately obvious to me. Thanks! =20 Paul ------_=_NextPart_001_01C43866.F03F7161 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi –

 

I hope that this is a quick question regarding when connection tracking happens in relation to iptables chains being = traversed.

 

Specifically, I would like to know when the = ESTABLISHED state is set in the kernel.  I realize that it is when iptables = sees an ACK of a SYN packet, for example, but if I have a firewall rule in the nat/PREROUTING chain that checks to ensure that the connection is = ESTABLISHED, will the ACK packet cause the rule to be hit?  Does the connection tracking take place before the mangle/PREROUTING = chain?

 

I tried checking around the kernel code, but it = wasn’t immediately obvious to me.  Thanks!

 

Paul

------_=_NextPart_001_01C43866.F03F7161-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Subject: Re: connection tracking question Date: Thu, 13 May 2004 00:21:15 +0200 Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: <40A2A35B.4010809@eurodev.net> References: <6A94CF724B046C4FB3434D14A49A58BF1CB7D3@pluto.rovingplanet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: To: Paul Albert , Netfilter Development Mailinglist In-Reply-To: <6A94CF724B046C4FB3434D14A49A58BF1CB7D3@pluto.rovingplanet.com> Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org Hi Paul, Paul Albert wrote: > Specifically, I would like to know when the ESTABLISHED state is set > in the kernel. mmm, i suppose that you are talking about a tcp connection, in that case, see file ip_conntrack_proto_tcp.c. If that's not enough, you can have a look at tcp-window-tracking patch available in pom-ng which add interesting comment to understand tcp tracking. > I realize that it is when iptables sees an ACK of a SYN packet, for > example, but if I have a firewall rule in the nat/PREROUTING chain > that checks to ensure that the connection is ESTABLISHED, will the ACK > packet cause the rule to be hit? Does the connection tracking take > place before the mangle/PREROUTING chain? yes, connection tracking is the first hook in prerouting/output, so it's done before mangle. It's also the last in postrouting/input. regards, Pablo From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Subject: Re: connection tracking question Date: Thu, 13 May 2004 00:35:41 +0200 Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: <40A2A6BD.9050300@eurodev.net> References: <6A94CF724B046C4FB3434D14A49A58BF1CB7D3@pluto.rovingplanet.com> <40A2A35B.4010809@eurodev.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Return-path: To: Paul Albert , Netfilter Development Mailinglist In-Reply-To: <40A2A35B.4010809@eurodev.net> Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org ops sorry, error... !:-) Pablo Neira wrote: >> Specifically, I would like to know when the ESTABLISHED state is set >> in the kernel. > > > mmm, i suppose that you are talking about a tcp connection, not necessarily, you could be talking also about conntrack state, yes please have a look at: http://lxr.linux.no/source/net/ipv4/netfilter/ip_conntrack_core.c#L738 function resolve_normal_ct, see the ct_info var. Don't mix tcp states with conntrack states, they are independent. regards, Pablo From mboxrd@z Thu Jan 1 00:00:00 1970 From: Henrik Nordstrom Subject: Re: connection tracking question Date: Thu, 13 May 2004 01:00:59 +0200 (CEST) Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: References: <6A94CF724B046C4FB3434D14A49A58BF1CB7D3@pluto.rovingplanet.com> Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Netfilter Developers List Return-path: To: Paul Albert In-Reply-To: <6A94CF724B046C4FB3434D14A49A58BF1CB7D3@pluto.rovingplanet.com> Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org On Wed, 12 May 2004, Paul Albert wrote: > Specifically, I would like to know when the ESTABLISHED state is set in > the kernel. In principle whenever there is a bare ACK. For full details decode the state table in net/ipv4/netfilter/conntrack_proto_tcp.c, there you can see the exact TCP flag states that can cause a transition to ESTABLISHED. Remember that the purpose of the conntrack TCP states is to try to deduce the TCP state of the endpoints, not to implement a TCP. > I realize that it is when iptables sees an ACK of a SYN packet, for > example, but if I have a firewall rule in the nat/PREROUTING chain that > checks to ensure that the connection is ESTABLISHED, will the ACK packet > cause the rule to be hit? How do you match for ESTABLISHED? ESTABLISHED != CONNECTED. The two is inherently different. ESTABLISHED is a TCP state of ip_conntrack_proto_tcp indicating the type of packets currently seen on the connection and also used in conntrack expiration calculations. CONNECTED is a state of conntrack indicating the nature of the flow of packets seen on the connection, or put simply that there is traffic in both directions. > Does the connection tracking take place before the mangle/PREROUTING > chain? Yes. Connection tracking takes place before mostly everything. conntrack runs in it's own hook very early in the packet processing. Regards Henrik