RE: conntrack and ICMP echo replies not showing as ESTABLISHED

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I think here are some semantics confused ( could be my fault ).

My statement is meant to explain that the term "ESTABLISHED" used in CONNTRACK , does not match the state "ESTABLISHED" used in iptables rules-set .
ESTABLISHED in iptables ruleset simply means there is an entry directly related to the packet that is being examined in the connection table .

ESTABLISHED in the conntrack TERM is only used for TCP as here the packets have multiple timers as at least TCP is session/connection based protocol ,
I am not aware of other protocols who have other times and multiple sets of session/connection states in netfilter/iptables/conntrack and using this TERM in same manner .

RELATED is actually not the FIRST/NEW packet of new connection , it is any packet ( first second or later ) from any system that could be indirectly connected to any one connection table entry .
Including ICMP messages like type 11 ( TTL exceeded ) typically sent from every router on the way until you reached the end target destination when doing a traceroute .

When conntrack deals with other none TCP it uses only UNREPLIED / ASSURED and not the term ESTABLISHED
And for ICMP it does not use ASSURED , only UNREPLIED ( which is removed after the first reply )

As far as I can tell there are 6 states for the connection table part ( 7 if you include those NOT/NEVER there )
NEW
ESTABLISHED
RELATED
INVALID
UNTRACKED
CLOSED

For me these semantics is also not so self explanatory , specially since the terms somewhat overlap and are missing for others .
( but now maybe this is a bit more clear ) If not here is more details http://www.iptables.info/en/connection-state.html


Best regards
André Paulsberg-Csibi
Senior Network Engineer 
IBM Services AS

-----Original Message-----
From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Neal P. Murphy
Sent: Wednesday, January 3, 2018 12:37 AM
Cc: netfilter@xxxxxxxxxxxxxxx
Subject: Re: conntrack and ICMP echo replies not showing as ESTABLISHED

On Tue, 2 Jan 2018 21:56:07 +0000
André Paulsberg-Csibi (IBM Consultant)         <Andre.Paulsberg-Csibi@xxxxxxxx> wrote:

> As far as I can tell - ESTABLISHED - is only for session based protocols like TCP .
> You will not see that for UDP or ICMP , as far as CONNTRACK is concerned .  

With netfilter, there are five connection states: NEW, RELATED, ESTABLISHED, INVALID and RAW.
  - A NEW packet is the first packet of a new peer-to-peer communication connection
    (a conn), be it TCP, SCTP, UDP, GRE, or any other protocol.
  - A RELATED packet is the first packet of a new conn that netfilter determined is
    related to an existing conn (the data conn of an FTP conn, for example).
  - When two-way communication is established with a reply packet, the conn's state
    changes to ESTABLISHED.
  - INVALID packets are those that netfilter has received but has no idea what to do
    with them; they are packets that can only belong to an ESTABLISHED conn but it can
    find no such conn in its database.
  - I think RAW packets are those that netfilter has been told not to process; but I'm
    not sure of this as I've never had reason to use RAW packets.

In netfilter, 'connection' is not related to connection-oriented protocols. It has to do with the relationship--the logical connection--between two endpoints on a LAN or on some internetwork of them. It is much like two people talking on a walkie-talkie, two people exchanging TXT MSGs, or two people talking on a phone that has a circuit-switched connection set up between them.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at  https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fvger.kernel.org%2Fmajordomo-info.html&data=02%7C01%7C%7C8cd63c84f69240d4239308d5523e4c6d%7C40cc2915e2834a2794716bdd7ca4c6e1%7C1%7C0%7C636505349884829535&sdata=hwc8E8kipzNl9HDW3SWhZfc9w2WgFoOXHH43uV5ugNk%3D&reserved=0
��.n��������+%������w��{.n����z��׫�)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux