connection tracking question

connection tracking question

[Paul Albert]

[-- Attachment #1: Type: text/plain, Size: 673 bytes --]

Hi - 

 

I hope that this is a quick question regarding when connection tracking
happens in relation to iptables chains being traversed.

 

Specifically, I would like to know when the ESTABLISHED state is set in
the kernel.  I realize that it is when iptables sees an ACK of a SYN
packet, for example, but if I have a firewall rule in the nat/PREROUTING
chain that checks to ensure that the connection is ESTABLISHED, will the
ACK packet cause the rule to be hit?  Does the connection tracking take
place before the mangle/PREROUTING chain?

 

I tried checking around the kernel code, but it wasn't immediately
obvious to me.  Thanks!

 

Paul


[-- Attachment #2: Type: text/html, Size: 2788 bytes --]

Re: connection tracking question

[Pablo Neira]

Hi Paul,

Paul Albert wrote:

> Specifically, I would like to know when the ESTABLISHED state is set 
> in the kernel.


mmm, i suppose that you are talking about a tcp connection, in that 
case, see file ip_conntrack_proto_tcp.c. If that's not enough, you can 
have a look at tcp-window-tracking patch available in pom-ng which add 
interesting comment to understand tcp tracking.

>   I realize that it is when iptables sees an ACK of a SYN packet, for 
> example, but if I have a firewall rule in the nat/PREROUTING chain 
> that checks to ensure that the connection is ESTABLISHED, will the ACK 
> packet cause the rule to be hit?  Does the connection tracking take 
> place before the mangle/PREROUTING chain?


yes, connection tracking is the first hook in prerouting/output, so it's 
done before mangle. It's also the last in postrouting/input.
 
regards,
Pablo

Re: connection tracking question

[Pablo Neira]

ops sorry, error... !:-)

Pablo Neira wrote:

>> Specifically, I would like to know when the ESTABLISHED state is set 
>> in the kernel.
>
>
> mmm, i suppose that you are talking about a tcp connection, 


not necessarily, you could be talking also about conntrack state, yes 
please have a look at:

http://lxr.linux.no/source/net/ipv4/netfilter/ip_conntrack_core.c#L738

function resolve_normal_ct, see the ct_info var. Don't mix tcp states 
with conntrack states, they are independent.

regards,
Pablo

Re: connection tracking question

[Henrik Nordstrom]

On Wed, 12 May 2004, Paul Albert wrote:

> Specifically, I would like to know when the ESTABLISHED state is set in
> the kernel.

In principle whenever there is a bare ACK.

For full details decode the state table in 
net/ipv4/netfilter/conntrack_proto_tcp.c, there you can see the exact TCP 
flag states that can cause a transition to ESTABLISHED.

Remember that the purpose of the conntrack TCP states is to try to deduce 
the TCP state of the endpoints, not to implement a TCP.

> I realize that it is when iptables sees an ACK of a SYN packet, for
> example, but if I have a firewall rule in the nat/PREROUTING chain that
> checks to ensure that the connection is ESTABLISHED, will the ACK packet
> cause the rule to be hit?

How do you match for ESTABLISHED?

ESTABLISHED != CONNECTED. The two is inherently different.

ESTABLISHED is a TCP state of ip_conntrack_proto_tcp indicating the type 
of packets currently seen on the connection and also used in conntrack 
expiration calculations.

CONNECTED is a state of conntrack indicating the nature of the flow of 
packets seen on the connection, or put simply that there is traffic in 
both directions.

> Does the connection tracking take place before the mangle/PREROUTING
> chain?

Yes. Connection tracking takes place before mostly everything. conntrack
runs in it's own hook very early in the packet processing.

Regards
Henrik