計算機網路 - conntrack

# 計算機網路 - conntrack [TOC] ## 參考影片除了影片之外，可以參考 Cloudfare 部落格的 [*Conntrack tales - one thousand and one flows*](https://blog.cloudflare.com/conntrack-tales-one-thousand-and-one-flows/) 一文。以及下面的部落格文章： * [*Connection tracking (conntrack) - Part 1: Modules and Hooks*](https://thermalcircle.de/doku.php?id=blog:linux:connection_tracking_1_modules_and_hooks) * [*Connection tracking (conntrack) - Part 2: Core Implementation*](https://thermalcircle.de/doku.php?id=blog:linux:connection_tracking_2_core_implementation) * [*Connection tracking (conntrack) - Part 3: State and Examples*](https://thermalcircle.de/doku.php?id=blog:linux:connection_tracking_3_state_and_examples) 而 Fedora Magazine 也有關於 Conntrack 的介紹： 1. [*Network address translation part 1 – packet tracing*](https://fedoramagazine.org/network-address-translation-part-1-packet-tracing/) 2. [*Network address translation part 2 – the conntrack tool*](https://fedoramagazine.org/network-address-translation-part-2-the-conntrack-tool/) 3. [*Network address translation part 3 – the conntrack event framework*](https://fedoramagazine.org/conntrack-event-framework/) 4. [*Network address translation part 4 – Conntrack troubleshooting*](https://fedoramagazine.org/network-address-translation-part-4-conntrack-troubleshooting/) > TODO：使用 `iperf3` 或 `nc` 來實驗。 ### Netdev 2.1 Talk - Netfilters Connection Tracking Subsystem By Florian Westphal {%youtube mx2X9mZaZ5A %} ### Conntrack offload: why and how - DevConf.CZ 2021 {%youtube sst35r4cRsI %} ### Netdev 0x13 - Conntrack tales of software datapaths {%youtube WNzFBEnmH1k %} ## 簡介 conntrack (connection tracking) 是 netfilters 中的一大類功能。前面介紹的 nftables 的使用中，大部分都是依照封包本身具有的相關資訊，決定處置的方式。這樣的處理方法稱為 *stateless firewall*。但這樣的功能未必能充分地表達過濾的語意。在一些通訊協定中，一模一樣的封包在不同通訊階段被發送時，背後可能代表完全不同的意義 (一個明顯的例子是 TCP 的 ACK) 。因此，需要有一些額外的機制把這些因素，或者更明確地說，特定協定當下的「狀態」也納入過濾考量。而這就是 conntrack 的用途。在 [*Conntrack tales - one thousand and one flows*](https://blog.cloudflare.com/conntrack-tales-one-thousand-and-one-flows/) 一文中也有提到這件事： > *...early firewalls were entirely stateless. They could express only basic logic, like: allow SYN packets to port 80 and 443, and block everything else.* > > *The stateless design gave some basic network security, but was quickly deemed insufficient. You see, there are certain things that can't be expressed in a stateless way. The canonical example is assessment of ACK packets - it's impossible to say if an ACK packet is legitimate or part of a port scanning attempt, without tracking the connection state.*