* are the four packet "states" all-encompassing?
@ 2002-10-24 11:37 Robert P. J. Day
2002-10-24 11:58 ` Cedric Blancher
0 siblings, 1 reply; 5+ messages in thread
From: Robert P. J. Day @ 2002-10-24 11:37 UTC (permalink / raw)
To: netfilter mailing list
are the four conntrack states NEW, ESTABLISHED, RELATED and
INVALID all-encompassing? that is, does every single packet
fall into one and only one of these states?
more to the point, what decides that a packet is NEW, given
that it's possible for it to be categorized as NEW despite the
fact that it has no SYN bit set? (i just noticed the part
in the docs about identifying traffic that's NEW but also
"-p tcp ! --syn".
rday
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: are the four packet "states" all-encompassing?
2002-10-24 11:37 are the four packet "states" all-encompassing? Robert P. J. Day
@ 2002-10-24 11:58 ` Cedric Blancher
2002-10-24 13:29 ` Robert P. J. Day
0 siblings, 1 reply; 5+ messages in thread
From: Cedric Blancher @ 2002-10-24 11:58 UTC (permalink / raw)
To: Robert P. J. Day; +Cc: netfilter mailing list
Le jeu 24/10/2002 à 13:37, Robert P. J. Day a écrit :
> are the four conntrack states NEW, ESTABLISHED, RELATED and
> INVALID all-encompassing? that is, does every single packet
> fall into one and only one of these states?
Yes.
One very packet can have one state, and one.
> more to the point, what decides that a packet is NEW, given
> that it's possible for it to be categorized as NEW despite the
> fact that it has no SYN bit set? (i just noticed the part
> in the docs about identifying traffic that's NEW but also
> "-p tcp ! --syn".
A NEW packet is a valid packet that can't be associated to an existing
conntrack entry.
--
Cédric Blancher <blancher@cartel-securite.fr>
Consultant en sécurité des systèmes et réseaux - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: are the four packet "states" all-encompassing?
2002-10-24 11:58 ` Cedric Blancher
@ 2002-10-24 13:29 ` Robert P. J. Day
2002-10-24 13:57 ` Cedric Blancher
0 siblings, 1 reply; 5+ messages in thread
From: Robert P. J. Day @ 2002-10-24 13:29 UTC (permalink / raw)
To: netfilter mailing list
On 24 Oct 2002, Cedric Blancher wrote:
> Le jeu 24/10/2002 à 13:37, Robert P. J. Day a écrit :
> > are the four conntrack states NEW, ESTABLISHED, RELATED and
> > INVALID all-encompassing? that is, does every single packet
> > fall into one and only one of these states?
>
> Yes.
> One very packet can have one state, and one.
so every syntactically correct ("well-formed"??) packet is one
of NEW, ESTABLISHED or RELATED, while all others are just
INVALID? ok, i can accept that, thanks.
rday
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: are the four packet "states" all-encompassing?
2002-10-24 13:29 ` Robert P. J. Day
@ 2002-10-24 13:57 ` Cedric Blancher
2002-10-24 13:58 ` Robert P. J. Day
0 siblings, 1 reply; 5+ messages in thread
From: Cedric Blancher @ 2002-10-24 13:57 UTC (permalink / raw)
To: Robert P. J. Day; +Cc: netfilter mailing list
Le jeu 24/10/2002 à 15:29, Robert P. J. Day a écrit :
> On 24 Oct 2002, Cedric Blancher wrote:
> > One very packet can have one state, and one.
> so every syntactically correct ("well-formed"??) packet is one
> of NEW, ESTABLISHED or RELATED, while all others are just
> INVALID? ok, i can accept that, thanks.
Yes and no, it is a bit more complicated...
INVALID applies to all packets for which ip_conntrack is not able to
give a state. As common examples :
. TCP packets that does not complies to RFC 793
. ICMP errors non related to existing flows
. lack of memory or conntrack table full
So, well formed packets can sometimes fall into INVALID state, but it is
safe to DROP them.
--
Cédric Blancher <blancher@cartel-securite.fr>
Consultant en sécurité des systèmes et réseaux - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: are the four packet "states" all-encompassing?
2002-10-24 13:57 ` Cedric Blancher
@ 2002-10-24 13:58 ` Robert P. J. Day
0 siblings, 0 replies; 5+ messages in thread
From: Robert P. J. Day @ 2002-10-24 13:58 UTC (permalink / raw)
To: netfilter mailing list
On 24 Oct 2002, Cedric Blancher wrote:
> Le jeu 24/10/2002 à 15:29, Robert P. J. Day a écrit :
> > On 24 Oct 2002, Cedric Blancher wrote:
> > > One very packet can have one state, and one.
> > so every syntactically correct ("well-formed"??) packet is one
> > of NEW, ESTABLISHED or RELATED, while all others are just
> > INVALID? ok, i can accept that, thanks.
>
> Yes and no, it is a bit more complicated...
>
> INVALID applies to all packets for which ip_conntrack is not able to
> give a state. As common examples :
>
> . TCP packets that does not complies to RFC 793
> . ICMP errors non related to existing flows
> . lack of memory or conntrack table full
>
> So, well formed packets can sometimes fall into INVALID state, but it is
> safe to DROP them.
ok, gotcha. but none of that changes the assertion that each and
every packet will fall into one, and only one, of these four
states. thanks.
rday
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2002-10-24 13:58 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-10-24 11:37 are the four packet "states" all-encompassing? Robert P. J. Day
2002-10-24 11:58 ` Cedric Blancher
2002-10-24 13:29 ` Robert P. J. Day
2002-10-24 13:57 ` Cedric Blancher
2002-10-24 13:58 ` Robert P. J. Day
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.