Netfilter - Connection Tracking

Connection Tracking

See also: Stateful Packet Inspection

One of the important features built on top of the Netfilter framework is connection tracking. Connection tracking allows the kernel to keep track of all logical network connections or sessions, and thereby relate all of the packets which may make up that connection. NAT relies on this information to translate all related packets in the same way, and iptables can use this information to act as a stateful firewall.

The connection state however is completely independent of any upper-level state, such as TCP's or SCTP's state. Part of the reason for this is that when merely forwarding packets, i.e. no local delivery, the TCP engine may not necessarily be invoked at all. Even connectionless-mode transmissions such as UDP, IPsec (AH/ESP), GRE and other tunneling protocols have a, at least pseudo, connection state. The heuristic for such protocols is often based upon a preset timeout value for inactivity, after whose expiration a Netfilter connection is dropped.

Each Netfilter connection is uniquely identified by a (layer-3 protocol, source address, destination address, layer-4 protocol, layer-4 key) tuple. The layer-4 key depends on the transport protocol; for TCP/UDP it is the port numbers, for tunnels it can be their tunnel ID, but otherwise is just zero, as if it were not part of the tuple. To be able to inspect the TCP port in all cases, packets will be mandatorily defragmented.

Netfilter connections can be manipulated with the user-space tool conntrack.

iptables can make use of checking the connection's information such as states, statuses and more to make packet filtering rules more powerful and easier to manage. The most common states are:

  • “NEW”: trying to create a new connection
  • “ESTABLISHED”: part of an already-existing connection
  • “RELATED”: assigned to a packet that is initiating a new connection and which has been “expected”. The aforementioned mini-ALGs set up these expectations, for example, when the nf_conntrack_ftp module sees an FTP “PASV” command.
  • “INVALID”: the packet was found to be invalid, e.g. it would not adhere to the TCP state diagram.
  • “UNTRACKED” is a special state that can be assigned by the administrator to bypass connection tracking for a particular packet (see raw table, above)

A normal example would be that the first packet the conntrack subsystem sees will be classified “new”, the reply would be classified “established” and an ICMP error would be “related”. An ICMP error packet which did not match any known connection would be “invalid”.

Read more about this topic:  Netfilter

Famous quotes containing the words connection and/or tracking:

    It may comfort you to know that if your child reaches the age of eleven or twelve and you have a good bond or relationship, no matter how dramatic adolescence becomes, you children will probably turn out all right and want some form of connection to you in adulthood.
    Charlotte Davis Kasl (20th century)

    Such is the art of writing as Dreiser understands it and practices it—an endless piling up of minutiae, an almost ferocious tracking down of ions, electrons and molecules, an unshakable determination to tell it all. One is amazed by the mole-like diligence of the man, and no less by his exasperating disregard for the ease of his readers.
    —H.L. (Henry Lewis)