Part two connection tracking

There are no specific prerequisites. From 2.6.23 to 2.6.25,api maintained a great acquaintance. There is a little type change in 2.6.26 (-RC1). Xtables-addons does not provide a portable API that includes connection tracking, because it is not required for a module to fit in, but the compilation system is very convenient to use.

6 Nf_conn Structural body

Sometimes it is necessary to get the parameters of the connection. The function Nf_ct_get can find the packet's corresponding connection and, if it exists, returns the connection and returns the connection state. In order to use the Nf_ct_get function, you need to include the <net/netfilter/nf_conntrack.h>, and in order to use the enum Ip_conntrack_info, you also need to include <linux/ Netfilter/nf_conntrack_common.h>. This header file is distributed in the linux/directory to export it to user space, and these static values, such as ip_ct_new, are useful in user space, of course nf_ct_get can only be used in the kernel.

#include <linux/netfilter/nf_conntrack_common.h>

Enum Ip_conntrack_infoctinfo;

struct Nf_conn *ct;

ct = nf_ct_get (skb,&ctinfo);

There are a number of connection states in which you can match them, or print out the connection information through the Xt_logmark of the Xtables Conntrack, which is a target extension. Note that the connection tracking subsystem will be processed before the mangle table after the raw table.

if (ct = NULL)

Pr_info ("Thisis--ctstate invalid\n");

When the connection tracking subsystem declares the connection as invalid, the CT may be null, such as sending a TCP SYN over an existing connection.

else if (CT ==&nf_conntrack_untracked)

Pr_info ("Thisone is not tracked\n");

In the raw table, the target of the notrack will exempt the packet from the connection trace; This feature is useful for tarpit goals. It is also commonly used for any packets you want to discard, but in general, people don't complain because it usually happens in duplicate rules. If only the packet is discarded in the filter table, it means that the corresponding connection tracking representation will be saved to its timeout, which in general can work well. The default timeout is dependent on the specific protocol and implementation, and the connection you discard is new, typically 30 seconds to 2 minutes.

else if (ctinfo% ip_ct_is_reply = = ip_ct_new)

Pr_info ("Thisis the packet in a connection\n");

else if (ctinfo% ip_ct_is_reply = = ip_ct_related)

Pr_info ("Welcomemr.") Bond, we have been expecting you\n ");

else if (ctinfo% ip_ct_is_reply = = ip_ct_established)

Pr_info ("Youcan figure out of this one!\n");

If the CT is not null and is not an invalid connection-tracking table entry, such as a package that is not tracked, the connection is valid and its state can be found in the ctinfo. The enumip_conntrack_ctinfo blends the status of the connection and the direction of the packet.

Ip_ct_new, New Connection

Ip_ct_related, also a new connection, is just a waiting connection.

Ip_ct_established, the connection is established and the current packet is in the original direction.

Ip_ct_established +ip_ct_is_reply, the connection has been established and the packet is in the direction of reply.

ip_ct_related + ip_ct_is_reply, expect the connection to begin, while the packet is in the reply direction. It is very surprising that the first package can be in the reply direction (note: The connection of the reply direction is not the original one). This is actually used for ICMP replies.

Ip_ct_new + ip_ct_is_reply is not used, and is not legal.

Extracts the state of the connection trace by using the Ctinfo%ip_ct_is_reply (in this case, similar to Ctinfo & ~ip_ct_is_reply). The direction of the packet can also be obtained by ctinfo/ip_ct_is_reply, but a more convenient macro ctinfo2dir (Ctinfo) can be used, defined in <linux/netfilter/nf_conntrack_tuple_ Common.h>.

Connection Tracker

The connection tracker is a very important part of the connection tracking architecture and relates to the implementation of the State firewall. Its main task is to find the corresponding connection information for an IP packet and ensure the correctness of the packet and its parameters. For example, TCP data Flow, detection window size and TCP state conversion is correct.

In the simplest case, simply copying the source address and destination address to Structnf_conntrack_tuple,structnf_conntrack_tuple will be connected to the other to form a known connection table. The connection tracking is split into two categories, layer-3 and layer-4 modules to achieve maximum modularity. There are, of course, layer-5 connection trackers, called connection aids, because these functions are not working for the current connection, but for new connections later.

7 layer-3 Connection Tracker

7.1 Goals

The problem, of course, is that the chapter will be filled with weird ideas about how these answers will be broken down.

A layer-3 connection tracker that does not exist in the kernel will make a very difficult task. Not just because IPv4 and IPv6 are the most dominant agreements, but also because the kernel does not now have netfilter hooks in other protocols, except for the Special One.

This has led to some very interesting tasks. There was a connection tracker written for IPX, but the revival of the old DOS game was finally proven to be a long-term view because of the technical problems of modern operating systems. When we found that in the ARP input and output path and no netfilter hook, access to ARP connection tracking is not so fruitful, so the idea is scrapped, because we do not want readers to modify the kernel, compile and install and so on process.

7.2 Structural Body Definition

The LAYER-3 tracker structure is defined in <net/netfilter/nf_conntrack_l3proto.h>. It contains the data packets to the tuple association, the tuple rollover function and the function to obtain the 4-layer protocol number.

struct Nf_conntrack_l3proto {

const char *name;

uint16_t L3proto;

BOOL (*pkt_to_tuple) (const struct Sk_buff *skb, unsigned int nhoff,

struct nf_conntrack_tuple *tuple);

BOOL (*invert_tuple) (struct nf_conntrack_tuple *inverse,

const struct Nf_conntrack_tuple *orig);

Int (*print_tuple) (struct seq_file *,

const struct nf_conntrack_tuple *);

Int (*get_l4proto) (const struct Sk_buff *skb, unsigned int nhoff,

unsigned int *dataoff, uint8_t *protonum);

struct module *me;

};

When the actual four-layer section is missing, the three-layer connection tracker is essentially useless. Functions Pkt_to_tuple and Invert_tuple will be invoked, but no connection tracking table entries have been created, and you cannot see the corresponding table entries through the conntrack–l command or/proc/net/nf_conntrack. Connection tracking and event generation can only be registered with the four-tier connection tracker.

The function Get_l4proto should check the packet and return the 4-layer protocol number, it may also return-nf_accept, meaning that the connection is not being traced properly.

7.3 General L4 Tracking

Although the four-tier tracking is only for the most common protocols, many protocols can still be tracked because a common tracker can be used. Ah and ESP are two examples of this category.

The Universal tracker maps all the four-tier protocols of the packets to a single connection, which is logically possible. This connection tracking table will look like this:

# conntrack-l |grep "^unknown"

Unknown 537 src=192.168.0.137dst=192.168.16.34 packets=12 bytes=1456

src=192.168.16.34 dst=192.168.0.137packets=12 bytes=2704 mark=0 use=1

We hope that the reader can forgive this chapter too short. At the same time we confirm that the three-level tracker is very similar to the four layer, and we will track four levels in the next section.

84-Layer Connection Tracker

8.1 Structural Body Definition

The definition of a four-tier tracker is contained in <net/netfilter/nf_conntrack_l4proto.h>, and the order of these callback functions is sorted from error to destroy, describing the entire sequence of packet flows.

struct Nf_conntrack_l4proto {

const char *name;

uint16_t L3proto;

uint8_t L4proto;

Int (*error) (struct Sk_buff *, unsigned int dataoff,

Enum Ip_conntrack_info *ctinfo,unsigned int pf,

unsigned int hooknum);

BOOL (*pkt_to_tuple) (const struct Sk_buff *skb,

unsigned int dataoff,

struct nf_conntrack_tuple *tuple);

BOOL (*invert_tuple) (struct nf_conntrack_tuple *inverse,

const struct Nf_conntrack_tuple *original);

Int (*packet) (struct nf_conn *ct, const struct Sk_buff,

unsigned int dataoff, enum Ip_conntrack_info Ctinfo,

unsigned int pf, unsigned int hooknum);

BOOL (*new) (struct nf_conn *ct, const struct Sk_buff, *SKB,

unsigned int dataoff);

void (*destroy) (struct nf_conn *ct);

Int (*print_conntrack) (struct seq_file *s,

const struct Nf_conn *ct);

Int (*print_tuple) (struct seq_file *s,

const struct Nf_conntrack_tuple *tuple);

struct module *me;

};

It also has packets to tuple and associated tuple flips, and also includes "packet", "new" and "destroy".

8.2 Goals

In this section we will look at the ESP connection tracking module. It works, of course, and there is no real domain that needs to be handled, because universal connection tracking has already dealt with common functionality. If you need to track some special SPI data streams, then this module is for you.

ESP is encrypted, so there is no way to view the data in it unless it is on both ends. Even so, for piping models and any other type of (unencrypted) pipe and encapsulation, we don't often want to detect what's inside, but to track the pipeline connection itself.

8.3 Module Initialization

The struct member name is a short string that is used to provide user space, as simple as possible, and without spaces. Members L3proto and L4proto respectively indicate the corresponding auxiliary functions for 3 and 4 layers.

static struct Nf_conntrack_l4protoesp_ctrack_reg __read_mostly = {

. Name = "ESP",

. L3proto =nfproto_ipv6,

. L4proto =ipproto_esp,

The rest of the structure is composed of members that are function pointers:

Esp_ctrack_pkt2tuple maps the information in the packet to tuple.

Esp_ctrack_new is invoked when a new connection tracking table entry is created.

Esp_ctrack_packet packet processing functions, such as updating the internal trace state. TCP uses this function for state conversion.

Esp_ctrack_invtuple Flip Tuple

ESP_CTRACK_PRCT Print Connection Trace table entry

Esp_ctrack_prtuple Print Connection tuple

. pkt_to_tuple = Esp_ctrack_pkt2tuple

. New =esp_ctrack_new

. Packet =esp_ctrack_packet,

. Invert_tuple =esp_ctrack_invtuple,

. Print_conntrack =ESP_CTRACK_PRCT,

. Print_tuple =esp_ctrack_prtuple,

. Me = This_module,

};

8.4 Tuple structural body (five Yuan Group)

The Union Nf_conntrack_man_proto contains the "Protocol Variable" section (in the case of NAT, this section maintains the source address, the extranet IP and the intranet IP switch).

Note: I don't think it's even confusing. The introduction is to view Structnf_conntrack_tuple, which contains SRC and DST, where DST is fixed, Because for example you visit BAIDU.COM,DST is Baidu, but SRC because there is NAT, then there may be intranet IP and public network IP.

8.5 Packet to connection tracking

When a packet enters the connection tracking subsystem, it is passed to the corresponding 4-layer connection tracking module and into the Pkt_to_tuple hook. This function maps packets to a five-tuple connection. The latter is the only way to determine a connection in the NetFilter.

8.6 Five meta Group inversion

When a packet is reached, it is compared to the existing tuple to see if it can find a corresponding connection in another direction.

They are not concerned with which network ports come in, because the packet may take a different path in the case of Policy routing.

static bool Tcp_invert_tuple (struct nf_conntrack_tuple *tuple,

const struct Nf_conntrack_tuple *orig)

{

Inverse->src.u.all= original->dst.u.all;

Inverse->dst.u.all= original->src.u.all;

}

Note: For example, there is a packet to go out, then by inversion, in the direction of reply to give DST and SRC, of course, this SRC may or intranet address. This will allow you to quickly find the corresponding connection when you return to the package.

8.7 Output Table Entries

8.8 Summary

9 Connection Trace Auxiliary function

Note: Understand this should first know ALG (Application layer gateway), such as FTP, in the application layer of data involved in intranet IP, while there is NAT, then need to replace the intranet IP extranet IP, these are auxiliary functions to do things.

struct nf_conntrack_helper{

const char *name;

unsigned int max_expected;

unsigned int timeout;

/* Tuple of connection to analyze * *

struct Nf_conntrack_tuple tuple;

* Our helpful function * *

Int (*help) (struct sk_buff *skb, unsigned int protoff,

struct Nf_conn *ct, enum Ip_conntrack_info ctinfo);

void (*destroy) (struct nf_conn *ct);

struct module *me;

};