Qustion wrt state RELATED,ESTABLISHED

All of lore.kernel.org
 help / color / mirror / Atom feed

* Qustion wrt state RELATED,ESTABLISHED
@ 2004-07-07  3:48 Michael Frank
  2004-07-07  5:11 ` Rob Sterenborg
  0 siblings, 1 reply; 3+ messages in thread
From: Michael Frank @ 2004-07-07  3:48 UTC (permalink / raw)
  To: netfilter

Is my  assumtion correct that state RELATED,ESTABLISHED checks all flags
for match and thus this state can (and should be for performance reasons)
be the first in each table ?

Chain INPUT (policy DROP 0 packets, 0 bytes)
  pkts bytes       target     prot opt in     out     source               destination
15172 2029K ACCEPT     all  --  any    any     anywhere             anywhere           state RELATED,ESTABLISHED
  0       0             BADTCP     tcp  --  any    any     anywhere             anywhere           tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
....

Chain BADTCP (6 references)
  pkts bytes target     prot opt in     out     source               destination
     0     0 LOG        all  --  any    any     anywhere             anywhere           limit: avg 3/min burst 3 LOG level alert prefix `ipt - Blocked Bad TCP flag: '
     0     0 DROP       all  --  any    any     anywhere             anywhere

	Thank you
	Michael

^ permalink raw reply	[flat|nested] 3+ messages in thread

* RE: Qustion wrt state RELATED,ESTABLISHED
  2004-07-07  3:48 Qustion wrt state RELATED,ESTABLISHED Michael Frank
@ 2004-07-07  5:11 ` Rob Sterenborg
  2004-07-07  6:13   ` Michael Frank
  0 siblings, 1 reply; 3+ messages in thread
From: Rob Sterenborg @ 2004-07-07  5:11 UTC (permalink / raw)
  To: netfilter

> Is my  assumtion correct that state RELATED,ESTABLISHED 
> checks all flags
> for match and thus this state can (and should be for 
> performance reasons)
> be the first in each table ?

No, it checks the *state*.

The first packet that is seen in a connection has state NEW, the rest
have state ESTABLISHED or RELATED (as with e.g. ftp). Since these
packets are let's say 99% in a connection, the ESTABLISHED and RELATED
match will match the most packets. Also see the byte/packet counters for
this (first 2 columns in the list below).
That's why you probably want that rule somewhere on top for performance
reasons because the rules are traversed in the order they are entered,
and therefore matched in the order they are entered.

> Chain INPUT (policy DROP 0 packets, 0 bytes)
>   pkts bytes       target     prot opt in     out     source  
>              destination

> 15172 2029K ACCEPT     all  --  any    any     anywhere       
>       anywhere           state RELATED,ESTABLISHED

Rule 1 (state checking)

>   0       0             BADTCP     tcp  --  any    any     
> anywhere             anywhere           tcp 
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG

Rule 2 (flag checking)

So you have 2 separate rules ; 1 for state and 1 for flag checking.

Gr,
Rob

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Qustion wrt state RELATED,ESTABLISHED
  2004-07-07  5:11 ` Rob Sterenborg
@ 2004-07-07  6:13   ` Michael Frank
  0 siblings, 0 replies; 3+ messages in thread
From: Michael Frank @ 2004-07-07  6:13 UTC (permalink / raw)
  To: Rob Sterenborg, netfilter

On Wed, 7 Jul 2004 07:11:50 +0200, Rob Sterenborg <rob@sterenborg.info> wrote:

>> Is my  assumtion correct that state RELATED,ESTABLISHED
>> checks all flags
>> for match and thus this state can (and should be for
>> performance reasons)
>> be the first in each table ?
>
> No, it checks the *state*.
>
> The first packet that is seen in a connection has state NEW, the rest
> have state ESTABLISHED or RELATED (as with e.g. ftp). Since these
> packets are let's say 99% in a connection, the ESTABLISHED and RELATED
> match will match the most packets. Also see the byte/packet counters for
> this (first 2 columns in the list below).
> That's why you probably want that rule somewhere on top for performance
> reasons because the rules are traversed in the order they are entered,
> and therefore matched in the order they are entered.
>
>> Chain INPUT (policy DROP 0 packets, 0 bytes)
>>   pkts bytes       target     prot opt in     out     source
>>              destination
>
>> 15172 2029K ACCEPT     all  --  any    any     anywhere
>>       anywhere           state RELATED,ESTABLISHED
>
> Rule 1 (state checking)
>
>>   0       0             BADTCP     tcp  --  any  .   any
>> anywhere             anywhere           tcp
>> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
>
> Rule 2 (flag checking)
>
> So you have 2 separate rules ; 1 for state and 1 for flag checking.
>
>

Thank you for your reply.

I apprectiate that first packet is NEW and others are EST/REL.

My point is, does EST/REL _match_ state and packets exactly and ignore
packets with _mismatching_ flags so I do _not_ have to check them
_before_ EST/REL and check them _only_ for NEW ??

Ok here is bigger example:

Chain INPUT (policy DROP 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               destination
  437K  100M ACCEPT     all  --  any    any     anywhere             anywhere           state RELATED,ESTABLISHED
   488  107K EXTIF      all  --  ppp0   any     anywhere             anywhere
     9   588 ACCEPT     all  --  lo     any     anywhere             anywhere              < ---lo and eth0 local is still too easy and under development :)
   450 42411 ACCEPT     all  --  eth0   any     anywhere             anywhere
     0     0 LOG        all  --  any    any     anywhere             anywhere           limit: avg 3/min burst 3 LOG level alert prefix `ipt - INPUT dropped: '

Chain EXTIF (1 references)
  pkts bytes target     prot opt in     out     source               destination
     0     0 BADTCP     tcp  --  any    any     anywhere             anywhere           tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
     0     0 BADTCP     tcp  --  any    any     anywhere             anywhere           tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
     0     0 BADTCP     tcp  --  any    any     anywhere             anywhere           tcp flags:SYN,RST/SYN,RST
     0     0 BADTCP     tcp  --  any    any     anywhere             anywhere           tcp flags:FIN,SYN/FIN,SYN
     0     0 BADTCP     tcp  --  any    any     anywhere             anywhere           tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
     0     0 BADTCP     tcp  --  any    any     anywhere             anywhere           tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
     1    28 PINGFLOOD  icmp --  any    any     anywhere             anywhere           icmp echo-request
    52  2564 SYNFLOOD   tcp  --  any    any     anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN

..... additional NEW enties eg for http

Logging here would be optional - great way to spam the logs.

    69  3422 DROP       all  --  any    any     anywhere             anywhere

Chain BADTCP (6 references)
  pkts bytes target     prot opt in     out     source               destination
     0     0 LOG        all  --  any    any     anywhere             anywhere           limit: avg 3/min burst 3 LOG level alert prefix `ipt - Blocked Bad TCP flag: '
     0     0 DROP       all  --  any    any     anywhere             anywhere

Chain PINGFLOOD (1 references)
  pkts bytes target     prot opt in     out     source               destination
     1    28 RETURN     all  --  any    any     anywhere             anywhere           limit: avg 10/sec burst 3
     0     0 LOG        all  --  any    any     anywhere             anywhere           limit: avg 3/min burst 3 LOG level alert prefix `ipt - Blocked PING Flood: '
     0     0 DROP       all  --  any    any     anywhere             anywhere

Chain SYNFLOOD (1 references)
  pkts bytes target     prot opt in     out     source               destination
    52  2564 RETURN     all  --  any    any     anywhere             anywhere           limit: avg 10/sec burst 3
     0     0 LOG        all  --  any    any     anywhere             anywhere           limit: avg 3/min burst 3 LOG level alert prefix `ipt - Blocked SYN Flood: '
     0     0 DROP       all  --  any    any     anywhere             anywhere


	Regards
	Michael





^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2004-07-07  6:13 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-07-07  3:48 Qustion wrt state RELATED,ESTABLISHED Michael Frank
2004-07-07  5:11 ` Rob Sterenborg
2004-07-07  6:13   ` Michael Frank

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.