20.1 Introduction

Previous page
Table of content
Next page
   

This chapter discusses the connection-tracking module, which forms the basis for extended packet-filter functions, particularly for network address translation (NAT see Chapter 21) in Linux 2.4.

The connection-tracking module manages individual connections (particularly TCP connections, but also UDP associations) and serves to allocate incoming, outgoing, and forwarded IP packets to existing connections. A new connection entry is generated as soon as the connection-tracking module registers a connection-establishment packet. From then on, each packet belonging to this connection is uniquely assigned to this connection. For example, this enables the NAT implementation to figure out exactly whether an incoming packet needs a free IP address and port number or one of the addresses and port numbers previously assigned can be used. The connection is deleted after a certain period of time has elapsed without traffic (timeout), which depends on the transport protocol used (i.e., TCP, UDP, or ICMP). Subsequently, the NAT module can reuse the address and port number that have become available.

The connection-tracking module is not limited to transport protocols; it can basically also support complex application protocols. For example, a stateful filter and an address-translation mechanism for active FTP (see Section 19.1.2) can be implemented. For this purpose, the connection-tracking module has to be able to associate newly established data connections with an existing control connection.

20.1.1 Using the Connection-Tracking Module

Two functions can be invoked to access connection entries: ip_conntrack_get() and ip_conntrack_put(). The ip_conntrack_get() function returns a connection entry for an IP packet passed as an sk_buff structure and automatically increments the reference counter for this connection. The ip_conntrack_put() function informs the connection-tracking module that the previously requested connection is no longer needed and decrements the reference counter.

To find a connection entry, we can use a so-called tuple (see Section 20.2.2) instead of an sk_buff structure with a complete IP packet. Such a tuple contains only the source and destination addresses and additional protocol information. The ip_conntrack_find_get() is used for this purpose.

       

    Previous page
    Table of content
    Next page
    Linux Network Architecture
    Linux Network Architecture
    ISBN: 131777203
    EAN: N/A
    Year: 2004
    Pages: 187
    BUY ON AMAZON
    Beginning Cryptography with Java
    Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
    Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
    Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
    Twisted Network Programming Essentials
    Python Programming for the Absolute Beginner, 3rd Edition
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy