Conntrack kernel Reading Notes in netfilter (5)

Conntrack kernel Reading Notes in netfilter (5)

6. Principle of TCP filter:

When the filter receives the first packet of a connection, it creates a table item for the connection in the global connection table, create original tuple and reply tuple with the source, destination IP, and port tuples carried in the message. The two tuple are different from each other to identify the connection. Subsequent packets will find the corresponding connection table items based on the productkey, devicename, and devicesecret, and then check whether the ACK and data carried by the packets are valid based on the historical status recorded in the table items.

Filter analyzes all historical packets connected to the connection and calculates the maximum and minimum thresholds of ack and data to check the validity of newly arrived packets ack and data. The maximum and minimum thresholds related to the connection are dynamically changed. When the new report passes the validity check, the threshold value is recalculated using the content carried by the new report. Before discussing how to establish a threshold, let's look at several conventions. Assume that the packets between A and B are filtered:

L filter can see all the packet data between A and B;

L filter: The window size declared in each message is displayed;

L if the ACK flag position of the packet sent by B is ACK = N, the filter can be considered as a data received by B. Its length must be at least N.

1) establish the valid data boundary in the connection item:

Assume that the data segment contained in the packet sent by A to B is [seq, seq + Len), that is, the start seq of the data contained in the packet is seq, and the data length is Len. Because the length of the message sent by a cannot exceed the size of B's current window, the maximum valid data size is:

A: seq + Len <= B: max {ack + max {win, 1} (I)

The maximum number of data sent by a is not greater than the maximum number of ack + max {win, 1} received by B. The reason why the maximum value is used instead of the value of the recently received packet is that the arrival of the packet is unordered, and the arrival of a small packet may be delayed for other reasons. In addition, because the size of the window advertised by the message may be 0, in this case, the TCP persistence Timer allows a to send a window detection packet with a length of 1 at intervals, max {win, 1} is required for the maximum number of times of valid data }. The upper limit can prevent B from receiving messages that exceed the window size. The filter can directly discard these packets and no longer forward them to B.

Lower limit of valid data:

A: seq> = A: max {seq + Len}-B: max {win, 1} (II)

Assume that the maximum window size of B is N, then end B can cache up to n a packets, because end a sends up to N unconfirmed packets, it is meaningless to resend the confirmed packets.

2) Establish the valid ack boundary in the connection item:

Because a cannot confirm the data it has not received, the ACK in the packet cannot be greater than the maximum seq of the packets it has received. Therefore, the maximum valid Ack is:

A: ACK <= B: max {seq + Len} (III)

It is difficult to determine the lower limit of ack. Because the message arrives in an unordered manner, the filter adopts a loose method to avoid blocking the effective ack:

A: ACK> = B: max {seq + Len}-maxackwindow (IV)

Maxackwindow is defined as 66000, that is, the maximum window size allowed by TCP. The size of this value determines the possibility of a valid ack being blocked.

7. Linux principles:

Struct ip_ct_tcp_state {

U_int32_t td_end;/* max of seq + Len */

U_int32_t td_maxend;/* max of ack + max (Win, 1 )*/

U_int32_t td_maxwin;/* max (WIN )*/

U_int8_t td_scale;/* Window Scale Factor */

U_int8_t loose;/* used when connection picked up from the middle */

U_int8_t flags;/* per direction options */

};

Struct ip_ct_tcp

{

Struct ip_ct_tcp_state seen [2];/* connection parameters per direction */

...

};

Ip_ct_tcp is a data structure used to record the TCP connection status. Seen is an array of 2 and 0 is used to record content related to the original of the connection initiator, 1 records the content of reply. There are two types of TCP restrictions on sending packets: RCV. ACK = <seg. SEQ <RCV. ack + RCV. WND or RCV. ACK = <seg. SEQ + SEG.LEN-1 <RCV. ack + RCV. WND. In the preceding section, formula (I) uses the latter method for identification. However, in Linux, formula (I) uses the former method for identification.

L sender. td_end = max (SEQ + Len) from sender );

L td_maxend is equivalent to max {(ACK + max {win, 1}) from sender}, but in Linux, cycler. td_maxend = max (sack + max (Win, 1) from sender); because if the message contains the SACK option, the actual maximum ack sent by the sender is in the sack option, and is the largest.

L td_maxwin is equal to max {win, 1}. in Linux, sender is used for sending packets. td_maxwin = max (Win, 1) + (sack-ack); for the receiver of the message, if the seq + Len> sender in the current message. td_maxend, receiver. td_maxwin + = seq + len-sender. td_maxend

The above threshold values are equivalent:

I. Maximum valid data: seq <= sender. td_maxend

II. lower limit of valid data: seq + Len> = sender. td_end-cycler. td_maxwin (because of the max (ACK) <= seq <= sender. td_maxend: seq + Len> = max (ACK) + Len. Max (ACK)> = sender. td_maxend-aggreger. td_maxwin> = max (SEQ)-cycler. td_maxwin, so Max (ACK) + Len> = max (SEQ) + len-receiver. td_maxwin >= ?? )

Iii. Valid ack upper limit: sack <= javaser. td_end

Iv. lower limit of valid ack: ACK> = ER er. td_end-maxackwindow

8, tcp_in_window:

/* 1. Obtain seq, ack, win, and end = seq + Len */from the message */

SEQ = ntohl (tcph-> SEQ );

ACK = sack = ntohl (tcph-> ack_seq );

Win = ntohs (tcph-> window );

End = segment_seq_plus_len (SEQ, SKB-> Len, IPH, tcph );

/* 2. If the SACK option exists, obtain the rightmost edge of the sack */

If (Cycler-> flags & ip_ct_tcp_flag_sack_perm)

Tcp_sack (SKB, IPH, tcph, & Sack );

/* 3. If the sender td_end is 0, it is not suitable for the original end. Only the message that the reply side responds to the SYN inal SYN will go to this branch */

If (sender-> td_end = 0 ){

/* The packet is a SYN/ACK packet, indicating that the TCP connection is a normal connection from the initial start, and the connection status is initialized */

If (tcph-> SYN & tcph-> ACK ){

...

} Else {

/* The TCP connection is for a previously existing but disconnected connection, and the connection is restarted */

...

}

} Else if (State-> state = tcp_conntrack_syn_sent

& Dir = ip_ct_dir_original)

| (State-> state = tcp_conntrack_syn_recv

& Dir = ip_ct_dir_reply ))

& After (end, sender-> td_end )){

/* RFC 793: "If a TCP is reinitialized... then it need not wait at all; it must only be sure to use sequence numbers larger than those recently used ."*/

}

...

/* 4. This is the main part of the function. The identification of the above four formulas is realized and the corresponding content of the connection status is updated */

If (sender-> loose | Cycler-> loose |

(Before (SEQ, sender-> td_maxend + 1 )&&

After (end, sender-> td_end-Cycler-> td_maxwin-1 )&&

Before (sack, javaser-> td_end + 1 )&&

After (ACK, Cycler-> td_end-maxackwindow (sender )))){

}