Try   HackMD

計算機網路 - conntrack

參考影片

除了影片之外,可以參考 Cloudfare 部落格的 Conntrack tales - one thousand and one flows 一文。以及下面的部落格文章:

而 Fedora Magazine 也有關於 Conntrack 的介紹:

  1. Network address translation part 1 – packet tracing
  2. Network address translation part 2 – the conntrack tool
  3. Network address translation part 3 – the conntrack event framework
  4. Network address translation part 4 – Conntrack troubleshooting

TODO:使用 iperf3nc 來實驗。

Netdev 2.1 Talk - Netfilters Connection Tracking Subsystem By Florian Westphal

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Conntrack offload: why and how - DevConf.CZ 2021

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Netdev 0x13 - Conntrack tales of software datapaths

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

簡介

conntrack (connection tracking) 是 netfilters 中的一大類功能。前面介紹的 nftables 的使用中,大部分都是依照封包本身具有的相關資訊,決定處置的方式。這樣的處理方法稱為 stateless firewall。但這樣的功能未必能充分地表達過濾的語意。在一些通訊協定中,一模一樣的封包在不同通訊階段被發送時,背後可能代表完全不同的意義 (一個明顯的例子是 TCP 的 ACK) 。因此,需要有一些額外的機制把這些因素,或者更明確地說,特定協定當下的「狀態」也納入過濾考量。而這就是 conntrack 的用途。

Conntrack tales - one thousand and one flows 一文中也有提到這件事:

early firewalls were entirely stateless. They could express only basic logic, like: allow SYN packets to port 80 and 443, and block everything else.

The stateless design gave some basic network security, but was quickly deemed insufficient. You see, there are certain things that can't be expressed in a stateless way. The canonical example is assessment of ACK packets - it's impossible to say if an ACK packet is legitimate or part of a port scanning attempt, without tracking the connection state.