Connection Tracker sources

teiclap

New Member


Messages: 3

Hi,
I'd wish to read and understand the source code used for tracking connection and feeding NAT.
May someone point me to the right place in the source tree?

Thanks,
Claudio
 

mark_j

Daemon

Reaction score: 707
Messages: 1,230

If I understand you correctly, you're asking for the in-kernel NAT implementation?
First, read this:
Handbook (Section 31.4.4).
Second, look at the source in sys/contrib/ipfilter for all the stuff you want.
Third, read the manual page: ipnat(4)
 

Mjölnir

Daemon

Reaction score: 1,503
Messages: 2,114

IIRC ipfilter(5) is one of three different IP filters that come with FreeBSD; I guess ipfilter(5) is the least relevant (loosely speaking; in term of usage); this doesn't mean it's worse than the others. The native (default, so to say) is ipfw(8), and many folks use pf(4) because it's syntax is of the historic OpenBSD version and allows to copy&paste rules from Books & the internet.
When reading through the docs & sources, keep that in mind & don't apply infos about A on B or C . IIUC ipnat(4) belongs to ipfilter(4), but that part (NAT) is also used by ipfw(4).
 
OP
T

teiclap

New Member


Messages: 3

Thank you,
I have seen that specific connection trackers are located in sys/contrib/ipfilter, for instance the ftp tracker is ip_ftp_pxy.c
The code is clean and easy to understand.
I found nothing related to sctp there, is it handled somewhere else?
I am interested in the sctp tracker state machine.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,318
Messages: 38,835

"connection tracker" is a typical Linux IPTables name and construct.
 

mark_j

Daemon

Reaction score: 707
Messages: 1,230

Thank you,
I have seen that specific connection trackers are located in sys/contrib/ipfilter, for instance the ftp tracker is ip_ftp_pxy.c
The code is clean and easy to understand.
I found nothing related to sctp there, is it handled somewhere else?
I am interested in the sctp tracker state machine.
Maybe you should have mentioned this key bit of information? :oops:;)
Did you look on github? It takes 10 seconds to find the code. Anyway, netinet/libalias/alias_sctp.c. HTH.
 
OP
T

teiclap

New Member


Messages: 3

Thanks a lot.
I see that alias sctp implements a full-state design, it does validation and parsing of chunks.
In theory, there's no need for having a copy of sctp state machine here, nor to parse the sctp chunks.
It's just enough to create the nat entry if not existing based on source IP, destination IP, source port and destination port and keep a timer for cleaning the entry when the association is gone.
I wonder if it would be accepted a stateless sctp alias implementation.
 
Top