Hi,
On Wed, 10 Jul 2024, Kevin Johnson wrote:
I've been trying to understand the connection tracking (conntrack)
source code (specifically nf_conntrack_proto_tcp.c and
nf_conntrack_proto_udp.c) by sending packets between virtual machines
and observing the connection states, looking to possibly find
vulnerabilities or perhaps weaknesses.
Are there additional documentation somewhere that aid with the
understanding of the conntrack source code (specifically
nf_conntrack_proto_tcp.c and nf_conntrack_proto_udp.c), since it's a bit
complex and difficult to understand?
nf_conntrack_proto_udp.c is simple because we have to handle a simple
stream of packets and just update the timer in order not to timeout the
conntrack entry too early.
nf_conntrack_proto_tcp.c is more complex. The code refers to RFC793 and
RFC1122 at a couple of places, of course. The tcp_in_window() function is
practically the implementation of Guido van Rooij's article (the first
link still works, you can download the pdf from there) with the addition
of SACK support (RFC2018). The hardest part I think is the big switch
statement in nf_conntrack_tcp_packet() which handles the reopened
connections, possible out of sync cases, challenge ACKs (RFC5961),
simultaneous opens, etc.
Is there a way a debugger can be setup where when pings are sent from
one machine to another, I can see which conntrack functions are being
executed or which lines are being processed?
You can easily sprinkle the code with printk-s ;-). That of course won't
work in production, but in a test environment with constructed/replayed
traffic it is fine.
Best regards,
Jozsef
--
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxx
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
H-1525 Budapest 114, POB. 49, Hungary
