* conntrack tuple @ 2012-09-14 14:57 Miguel Alejandro González 2012-09-15 21:14 ` Pablo Neira Ayuso 0 siblings, 1 reply; 3+ messages in thread From: Miguel Alejandro González @ 2012-09-14 14:57 UTC (permalink / raw) To: netfilter-devel Hello I have some questions about how conntrack tuple handles ICMP error messages... When a ICMP error packet arrives containing an embedded UDP or TCP packet, assuming there was already a UDP or TCP connection being tracked by conntrack, what are the IP addresses of the tuple, the ones from the ICMP error message or the ones from the embedded packet? Also does the tuple saves port information in this case as well as icmp type and code? How does conntrack know that ICMP error message is related to an existing connection? Regards! ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: conntrack tuple 2012-09-14 14:57 conntrack tuple Miguel Alejandro González @ 2012-09-15 21:14 ` Pablo Neira Ayuso 2012-09-16 0:08 ` Miguel Alejandro González 0 siblings, 1 reply; 3+ messages in thread From: Pablo Neira Ayuso @ 2012-09-15 21:14 UTC (permalink / raw) To: Miguel Alejandro González; +Cc: netfilter-devel Hi, On Fri, Sep 14, 2012 at 09:57:36AM -0500, Miguel Alejandro González wrote: > Hello > > I have some questions about how conntrack tuple handles ICMP error messages... > > When a ICMP error packet arrives containing an embedded UDP or TCP > packet, assuming there was already a UDP or TCP connection being > tracked by conntrack, what are the IP addresses of the tuple, the ones > from the ICMP error message or the ones from the embedded packet? It uses inner headers of the ICMP error message, ie. "the ones from the embedded packet". See net/ipv4/netfilter/nf_conntrack_proto_icmp.c > Also does the tuple saves port information in this case as well as icmp > type and code? Conntrack does not save any ICMP error information. > How does conntrack know that ICMP error message is related to an > existing connection? The conntrack code looks up for some existing entry by using the information in the inner headers of the ICMP error message. If no entry is found, the packet is considered invalid, and you can drop it with iptables ... -m state --state INVALID -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: conntrack tuple 2012-09-15 21:14 ` Pablo Neira Ayuso @ 2012-09-16 0:08 ` Miguel Alejandro González 0 siblings, 0 replies; 3+ messages in thread From: Miguel Alejandro González @ 2012-09-16 0:08 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel So, I have this code, I got it from the Writing netfilter code ebook: const struct nf_conn *ct; const struct nf_conntrack_tuple *t; enum ip_conntrack_info ctinfo; enum ip_conntrack_dir dir; ct = nf_ct_get(skb, &ctinfo); if (ct != NULL && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)) return false; dir = CTINFO2DIR(ctinfo); t = &ct->tuplehash[dir].tuple; Assuming there was already an established UDP or TCP connection that passed by conntrack. And with what you told me, conntrack should get a tuple with the inner headers upon receiving a Destination unreachable error message with an inner packet. I'm testing this code and I get a ICMP tuple with 771 as id, is this ok? I think I should be getting a UDP or TCP tuple with the l4 headers from the inner packet... I'm using kernel 2.6.38, I think you guys changed the tuple to have type and code instead of id in later versions.... maybe I should use the latest version... In my module I have the function need_ipv4_conntrack() in the init function, I think this is enough to load conntrack. Regards! On Sat, Sep 15, 2012 at 4:14 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > Hi, > > On Fri, Sep 14, 2012 at 09:57:36AM -0500, Miguel Alejandro González wrote: >> Hello >> >> I have some questions about how conntrack tuple handles ICMP error messages... >> >> When a ICMP error packet arrives containing an embedded UDP or TCP >> packet, assuming there was already a UDP or TCP connection being >> tracked by conntrack, what are the IP addresses of the tuple, the ones >> from the ICMP error message or the ones from the embedded packet? > > It uses inner headers of the ICMP error message, ie. "the ones from > the embedded packet". > > See net/ipv4/netfilter/nf_conntrack_proto_icmp.c > >> Also does the tuple saves port information in this case as well as icmp >> type and code? > > Conntrack does not save any ICMP error information. > >> How does conntrack know that ICMP error message is related to an >> existing connection? > > The conntrack code looks up for some existing entry by using the > information in the inner headers of the ICMP error message. > > If no entry is found, the packet is considered invalid, and you can > drop it with iptables ... -m state --state INVALID -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-09-16 0:09 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-09-14 14:57 conntrack tuple Miguel Alejandro González 2012-09-15 21:14 ` Pablo Neira Ayuso 2012-09-16 0:08 ` Miguel Alejandro González
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).