計算機網路 - conntrack

• 計算機網路 - conntrack
  • 參考影片
    • Netdev 2.1 Talk - Netfilters Connection Tracking Subsystem By Florian Westphal
    • Conntrack offload: why and how - DevConf.CZ 2021
    • Netdev 0x13 - Conntrack tales of software datapaths
  • 簡介

參考影片

除了影片之外，可以參考 Cloudfare 部落格的 Conntrack tales - one thousand and one flows 一文。以及下面的部落格文章：

• Connection tracking (conntrack) - Part 1: Modules and Hooks
• Connection tracking (conntrack) - Part 2: Core Implementation
• Connection tracking (conntrack) - Part 3: State and Examples

而 Fedora Magazine 也有關於 Conntrack 的介紹：

1. Network address translation part 1 – packet tracing
2. Network address translation part 2 – the conntrack tool
3. Network address translation part 3 – the conntrack event framework
4. Network address translation part 4 – Conntrack troubleshooting

TODO：使用 iperf3 或 nc 來實驗。

Netdev 2.1 Talk - Netfilters Connection Tracking Subsystem By Florian Westphal

Conntrack offload: why and how - DevConf.CZ 2021

Netdev 0x13 - Conntrack tales of software datapaths

簡介

conntrack (connection tracking) 是 netfilters 中的一大類功能。前面介紹的 nftables 的使用中，大部分都是依照封包本身具有的相關資訊，決定處置的方式。這樣的處理方法稱為 stateless firewall。但這樣的功能未必能充分地表達過濾的語意。在一些通訊協定中，一模一樣的封包在不同通訊階段被發送時，背後可能代表完全不同的意義 (一個明顯的例子是 TCP 的 ACK) 。因此，需要有一些額外的機制把這些因素，或者更明確地說，特定協定當下的「狀態」也納入過濾考量。而這就是 conntrack 的用途。

在 Conntrack tales - one thousand and one flows 一文中也有提到這件事：

…early firewalls were entirely stateless. They could express only basic logic, like: allow SYN packets to port 80 and 443, and block everything else.

The stateless design gave some basic network security, but was quickly deemed insufficient. You see, there are certain things that can't be expressed in a stateless way. The canonical example is assessment of ACK packets - it's impossible to say if an ACK packet is legitimate or part of a port scanning attempt, without tracking the connection state.