- Netfilter: Rule matching questions
PDA

View Full Version : Netfilter: Rule matching questions

Avi .L.
07-24-2004, 06:04 PM
Netfilter supports connection tracking and stateful inspection giving
us the ability to match a packet with a session.

I have questions regarding to iptables rules matching and connection
tracking mechanism.

Assuming I configured an iptable rule which MARK packets going to port
80 with a certain value:

1. Is it true that the rule matching is done per packet and not per
session ?
(If we know for a certain packet in a session its port then we know it
for the rest of the session packets, so it is enough to do it on the
first session's packet).

2. Is it true that iptables rules which specifies port numbers don't
use the stateful support ? (for example, if I configured a MARK rule
on a packet going to/ from port 20 (ftp-data) why shouldn't it apply
also on RELATED sessions which were opened using the passive mode).

Assuming I configured a NAT rule :

1. Is it true that for NAT rule matching is done on a per session base
?
(I think I read that there is a cache for NAT decisions on a per
session base)
Cedric Blancher
07-24-2004, 06:04 PM
Dans sa prose, Avi .L. nous ecrivait :
> Netfilter supports connection tracking and stateful inspection giving
> us the ability to match a packet with a session.

Yop.


> Assuming I configured an iptable rule which MARK packets going to port
> 80 with a certain value:
> 1. Is it true that the rule matching is done per packet and not per
> session ?

It is.
However, you have connmark match and CONNMARK target that allows session
marking.

> (If we know for a certain packet in a session its port then we know it
> for the rest of the session packets, so it is enough to do it on the
> first session's packet).

Using CONNMARK you do, not if MARK is used.

> 2. Is it true that iptables rules which specifies port numbers don't
> use the stateful support ? (for example, if I configured a MARK rule
> on a packet going to/ from port 20 (ftp-data) why shouldn't it apply
> also on RELATED sessions which were opened using the passive mode).

Yes it is. See CONNMARK.

> Assuming I configured a NAT rule :
> 1. Is it true that for NAT rule matching is done on a per session base
> ?

Yop.
Only NEW packets are going through nat table. Following packets
(ESTABLISHED or RELATED ones) are handled by conntrack engine just before.

> (I think I read that there is a cache for NAT decisions on a per
> session base)

Not really.
As conntrack is prior to any table, further packets are direclty
identified as belonging to a NAT session. For this session is fully
described within conntrack entry, Netfilter does not need the packet to
cross nat table to handle it properly.


--
Utiliser des machines non françaises aussi m'est insupportable. Je
compte bientôt m'équiper d'un boulier bien de chez nous. Pour les
graphiques, j'utiliserai de vrais camemberts, au lait cru évidemment.
-+- JLD in: Guide du Cabaliste Usenet - Bien configurer son boulier -+-