Record the forwarding status of a data stream using the Iptables connmark target and Conntrack modules

1. Each data stream is represented by a struct sk_buff structure in the Linux kernel, which has a 32-bit unsigned integer mark member to hold the SKB mark value, which can be dynamically modified in the NetFilter framework.

2. Each data stream successfully forwarded in the Linux kernel will hold a status trace connection record in the Conntrack module in NetFilter, a struct nf_conn structure with a 32-bit unsigned integer mark member, The tag value used to hold the record.

Note: Traffic that has not been successfully forwarded (such as blocked by a firewall) does not record its Conntrack information in the system.

By default, when a data flow is successfully forwarded by Linux, the mark value in the struct Sk_buff is not saved to the Mark member in the struct NF_CONN structure, and the mark value in the struct NF_CONN structure is always 0.

Use iptables ... -j connmark--bit-save-mark--nfmask 0xffff0000--ctmask 0xFFFFFFFF You can save the mark value of the current matching data stream SKB in the Conntrack mark value.

Use iptables ...-j connmark--restore-mark--nfmask 0xffffffff--ctmask 0xFFFF You can perform a mark value recovery operation on the currently matched data stream. The mark value in the corresponding record struct nf_conn of the data stream in the Conntrack module is extracted and stored in the mark value of the current data stream sk_buff.

Note: bit storage and recovery for Mark values are supported.

Application:

1, in the system there are a large number of iptables/ebtables rules, a data stream is forwarded to consume a lot of CPU time, will seriously affect the device's throughput.

Scenario: Using the Connmark Save-mark/retore-mark mechanism can be used to save the final state of the SKB, enabling NetFilter to pre-anticipate the final state of the packet (Accept/drop and its mark value) for fast forwarding of the data stream , and final state completion conforms to the complete processing result of the entire netfilter framework.

Detailed design:

A. At the beginning of Mangle's prerouting, a match is performed on a particular data stream Connmark--restore-mark, and then judged by the specific bit in its SKB mark value that the status is accept or drop, If it is accept the SKB is provided, and then in each tables the main chain to determine whether the operation of the advance accept.

B. In the postrouting of Mangle, mark the accepted of the data stream that satisfies the condition (Skb->mark), and then execute Connmark The Save-mark operation saves the SKB mark value to the conntrack corresponding record.

C. When there are any changes to the NetFilter rules, call the Conntrack-u-M 0 shell command to set the mark value of all status tracking records in the current Conntrack module to 0. To ensure that the state of all packets is not affected by the old rules, in the new NetFilter rule framework, each data stream in the Conntrack record can get the correct logical processing and status results.

Note: When this scenario is used, the count of traffic forwarded in the system cannot be determined by the number of executions of the netfilter rule.

Record the forwarding status of a data stream using the Iptables connmark target and Conntrack modules