Re: Question on raw table and match state

Re: Question on raw table and match state

[Steven Kath]

----- "Pandu Poluan" <pandu@poluan.info> wrote: -----
> I am wondering if the following rule will work:
> 
> iptables -t raw -A PREROUTING -p icmp -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> 

If you look at Jan's Netfilter packet flow diagram, you'll see that the raw PREROUTING chain is traversed before the conntrack functions are called.  State can not be determined until after the packet is compared to the conntrack table. The rule you described can't work and I think the iptables binaries won't allow it to be created. 

http://jengelh.medozas.de/images/nf-packet-flow.png

Re: Question on raw table and match state

[Pandu Poluan]

(sorry for top posting)

Strangely enough, the iptables binary does not complain when I tried:

iptables -t raw -A PREROUTING -p icmp -m state --state
ESTABLISHED,RELATED -j LOG --log-prefix "RP MATCH:"

or replacing LOG with ACCEPT. But checking dmesg shows that the rule
is not triggered. Just to be sure, I added the following:

iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j LOG
--log-prefix "FI MATCH:"

and dmesg indeed shows the rule triggering.

That said, I've now understood raw & conntrack much better, thanks.

Rgds,


On 2011-02-12, Steven Kath <steven.kath@vyatta.com> wrote:
> ----- "Pandu Poluan" <pandu@poluan.info> wrote: -----
>> I am wondering if the following rule will work:
>>
>> iptables -t raw -A PREROUTING -p icmp -m state --state
>> RELATED,ESTABLISHED -j ACCEPT
>>
>
> If you look at Jan's Netfilter packet flow diagram, you'll see that the raw
> PREROUTING chain is traversed before the conntrack functions are called.
> State can not be determined until after the packet is compared to the
> conntrack table. The rule you described can't work and I think the iptables
> binaries won't allow it to be created.
>
> http://jengelh.medozas.de/images/nf-packet-flow.png
>


-- 
--
Pandu E Poluan - IT Optimizer
My website: http://pandu.poluan.info/

[patch] warn on use of ctstate checking in raw

[Jan Engelhardt]

On Saturday 2011-02-12 03:14, Pandu Poluan wrote:

>(sorry for top posting)
>
>Strangely enough, the iptables binary does not complain when I tried:
>
>iptables -t raw -A PREROUTING -p icmp -m state --state
>ESTABLISHED,RELATED -j LOG --log-prefix "RP MATCH:"

Well, `rm -Rf *` also does not complain about files going away --
"Computer is a serious tool" :-)


Oh well, nature. Here's a patch for nature...

parent 44bd4de9c2270b22c3c898310102bc6be9ed2978 (v2.6.38-rc1-187-g44bd4de)
commit ddc00998c0b1aa720720529ebaac73bb142e531f
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Sat Feb 12 04:24:07 2011 +0100

netfilter: xt_conntrack: warn about use in raw table

nfct happens to run after the raw table only.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 net/netfilter/xt_conntrack.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 4ef1b63..2c0086a 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -272,6 +272,11 @@ static int conntrack_mt_check(const struct xt_mtchk_param *par)
 {
 	int ret;
 
+	if (strcmp(par->table, "raw") == 0) {
+		pr_info("state is undetermined at the time of raw table\n");
+		return -EINVAL;
+	}
+
 	ret = nf_ct_l3proto_try_module_get(par->family);
 	if (ret < 0)
 		pr_info("cannot load conntrack support for proto=%u\n",
-- 
# Created with git-export-patch

Re: [patch] warn on use of ctstate checking in raw

[Patrick McHardy]

Am 12.02.2011 04:27, schrieb Jan Engelhardt:
> netfilter: xt_conntrack: warn about use in raw table
> 
> nfct happens to run after the raw table only.
> 

APplied, thanks Jan.