netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Question about nf_conntrack_proto for IPsec
@ 2019-06-26 11:06 Naruto Nguyen
  2019-06-26 11:13 ` Florian Westphal
  0 siblings, 1 reply; 4+ messages in thread
From: Naruto Nguyen @ 2019-06-26 11:06 UTC (permalink / raw)
  To: netfilter-devel, netdev, netfilter

Hi everyone,

In linux/latest/source/net/netfilter/ folder, I only see we have
nf_conntrack_proto_tcp.c, nf_conntrack_proto_udp.c and some other
conntrack implementations for other protocols but I do not see
nf_conntrack_proto for IPsec, so does it mean connection tracking
cannot track ESP or AH protocol as a connection. I mean when I use
"conntrack -L" command, I will not see ESP or AH  connection is saved
in conntrack list. Could you please help me to understand if conntrack
supports that and any reasons if it does not support?

Thanks a lot,
Brs,
Naruto

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Question about nf_conntrack_proto for IPsec
  2019-06-26 11:06 Question about nf_conntrack_proto for IPsec Naruto Nguyen
@ 2019-06-26 11:13 ` Florian Westphal
  2019-07-10  6:55   ` Naruto Nguyen
  0 siblings, 1 reply; 4+ messages in thread
From: Florian Westphal @ 2019-06-26 11:13 UTC (permalink / raw)
  To: Naruto Nguyen; +Cc: netfilter-devel, netdev, netfilter

Naruto Nguyen <narutonguyen2018@gmail.com> wrote:
> In linux/latest/source/net/netfilter/ folder, I only see we have
> nf_conntrack_proto_tcp.c, nf_conntrack_proto_udp.c and some other
> conntrack implementations for other protocols but I do not see
> nf_conntrack_proto for IPsec, so does it mean connection tracking
> cannot track ESP or AH protocol as a connection. I mean when I use
> "conntrack -L" command, I will not see ESP or AH  connection is saved
> in conntrack list. Could you please help me to understand if conntrack
> supports that and any reasons if it does not support?

ESP/AH etc. use the generic tracker, i.e. only one ESP connection
is tracked between each endpoint.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Question about nf_conntrack_proto for IPsec
  2019-06-26 11:13 ` Florian Westphal
@ 2019-07-10  6:55   ` Naruto Nguyen
  2019-07-10  8:07     ` Florian Westphal
  0 siblings, 1 reply; 4+ messages in thread
From: Naruto Nguyen @ 2019-07-10  6:55 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel, netdev, netfilter

Hi Florian,

Thanks a lot for your reply.

Could you please elaborate more on how generic tracker tracks ESP connection?

Brs,
Bao

On Wed, 26 Jun 2019 at 18:13, Florian Westphal <fw@strlen.de> wrote:
>
> Naruto Nguyen <narutonguyen2018@gmail.com> wrote:
> > In linux/latest/source/net/netfilter/ folder, I only see we have
> > nf_conntrack_proto_tcp.c, nf_conntrack_proto_udp.c and some other
> > conntrack implementations for other protocols but I do not see
> > nf_conntrack_proto for IPsec, so does it mean connection tracking
> > cannot track ESP or AH protocol as a connection. I mean when I use
> > "conntrack -L" command, I will not see ESP or AH  connection is saved
> > in conntrack list. Could you please help me to understand if conntrack
> > supports that and any reasons if it does not support?
>
> ESP/AH etc. use the generic tracker, i.e. only one ESP connection
> is tracked between each endpoint.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Question about nf_conntrack_proto for IPsec
  2019-07-10  6:55   ` Naruto Nguyen
@ 2019-07-10  8:07     ` Florian Westphal
  0 siblings, 0 replies; 4+ messages in thread
From: Florian Westphal @ 2019-07-10  8:07 UTC (permalink / raw)
  To: Naruto Nguyen; +Cc: Florian Westphal, netfilter-devel, netdev, netfilter

Naruto Nguyen <narutonguyen2018@gmail.com> wrote:
> Could you please elaborate more on how generic tracker tracks ESP connection?

All protocols that do not have a more specific l4 tracker are tracked
based on l3 protocol + l4 proto number.

IOW, any ESP packet sent between the same endpoint addresses is seen
as matching a single esp flow.

We could easily add the ESP SPI as additional distinction marker if needed.

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-07-10  8:07 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-26 11:06 Question about nf_conntrack_proto for IPsec Naruto Nguyen
2019-06-26 11:13 ` Florian Westphal
2019-07-10  6:55   ` Naruto Nguyen
2019-07-10  8:07     ` Florian Westphal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).