Linux kernel Analysis

Kernel version: 2.6.34

The previous section describes the NetFilter framework, address: http://blog.csdn.net/qy532846454/article/details/6605592, the connection tracking described in this section is implemented on the NetFilter framework , connection tracking is the basis for implementing Dnat,snat and stateful firewalls. Its essence is to record a connection, specifically as long as one to meet a return of two processes can be counted as a connection, so TCP is, UDP is, part of IGMP/ICMP is also, the role of recording connection needs to be combined with its related applications (NAT, etc.) to understand, not the focus of this article, This article mainly analyzes how connection tracking is implemented.

Recall the hook point in the NetFilter frame (hereinafter referred to as a hook), these hooks are the same as the message to and from the stack of the gateway, the message will be intercepted here, and then perform the hook node function, the connection tracking uses several of these hooks, respectively corresponding to the message in the receiving, sending and forwarding, as shown in the following figure:

Connection tracking is exactly the above hook registered on the corresponding function (registered in the Nf_conntrack_l3proto_ipv4_init), hook for Ipv4_conntrack_ops, as follows:

static struct Nf_hook_ops ipv4_conntrack_ops[] __read_mostly = {
  . Hook  = ipv4_conntrack_in,     
  . Owner  = This_module,     
  . PF  = Nfproto_ipv4,     
  . Hooknum = nf_inet_pre_routing,     
  . Priority = Nf_ip_pri_ Conntrack,     
 },     
 {     
  . Hook  = ipv4_conntrack_local,     
  . Owner  = this_module,     
  . PF  = Nfproto_ipv4,     
  . Hooknum = Nf_inet_local_out,     
  . Priority = Nf_ip_pri_conntrack,     
 },     
 {     
  . Hook  = ipv4_confirm,     
  . Owner  = this_module,     
  . PF  = Nfproto_ipv4,     
  . Hooknum = Nf_inet_post_ ROUTING,     
  . Priority = Nf_ip_pri_conntrack_confirm,     
 },     
 {     
  . Hook  = ipv4_confirm,     
  . Owner  = This_module,     
  . PF  = Nfproto_ipv4,     
  . Hooknum = nf_inet_local_in,     
  . Priority = Nf_ip_pri_ Conntrack_confirm,     
 },     
};

You can see more clearly from the table below:

Said at the beginning, the purpose of connection tracking is to record a connection information, the corresponding data structure is tuple, it is divided into forward (tuple) and reverse (repl_tuple), whether TCP or UDP is the target of connection tracking, when a sends a message to B, a receives B's message, We call a connection established and established state in the connection trace. It is particularly noteworthy that the information on a connection is the same for both sides, regardless of who is the initiator, both sides of the connection information are consistent, in the direction of example, a send a message to B, for a, it first sent a paper, so a->b is positive, b->a is reverse; for B, it gets the message first, but the same a- >b is positive, b->a is reverse.

With this in mind, each connection will have the following information corresponding to the

Tuple [SIP Sport tip tport Proto]

The process of UDP

The establishment of UDP connection tracking is actually a simplified version of TCP, no three times handshake, as long as received + send complete, connection tracking also completed.