[Bug 1496] New: CT target unclear

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Tue Feb 9 13:27:20 CET 2021 

https://bugzilla.netfilter.org/show_bug.cgi?id=1496

            Bug ID: 1496
           Summary: CT target unclear
           Product: iptables
           Version: unspecified
          Hardware: x86_64
                OS: Gentoo
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: iptables
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: mhoermann at gmail.com

In the CT target section in the iptables-extension(8) manpage it says

       --ctevents event[,...]
              Only  generate  the  specified conntrack events for this
connection. Possible event types are: new, related, destroy, reply, assured,
protoinfo, helper, mark (this refers to the ctmark, not nf‐
              mark), natseqinfo, secmark (ctsecmark).

       --expevents event[,...]
              Only generate the specified expectation events for this
connection.  Possible event types are: new.


It would be useful to have at least a short description for each event types,
similar to the one we can find in the comments in the kernel source code with
the enum it seems to be based on in
include/uapi/linux/netfilter/nf_conntrack_common.h

/* Connection tracking event types */
enum ip_conntrack_events {
        IPCT_NEW,               /* new conntrack */
        IPCT_RELATED,           /* related conntrack */
        IPCT_DESTROY,           /* destroyed conntrack */
        IPCT_REPLY,             /* connection has seen two-way traffic */
        IPCT_ASSURED,           /* connection status has changed to assured */
        IPCT_PROTOINFO,         /* protocol information has changed */
        IPCT_HELPER,            /* new helper has been set */
        IPCT_MARK,              /* new mark has been set */
        IPCT_SEQADJ,            /* sequence adjustment has changed */
        IPCT_NATSEQADJ = IPCT_SEQADJ,
        IPCT_SECMARK,           /* new security mark has been set */
        IPCT_LABEL,             /* new connlabel has been set */
        IPCT_SYNPROXY,          /* synproxy has been set */
#ifdef __KERNEL__
        __IPCT_MAX
#endif
};

It would also be good to clarify what "generating events" means, from my
surface inspection of the code it seems to mean events for userspace, not
events that affect the conntrack tables themselves but I might be wrong about
that.

In particular it would be good to make it clear what the distinction between
generating only some events here and limiting tracking with -m conntrack
--ctstate ... -j CT --notrack or -m conntrack --ctstatus ... -j CT --notrack
are for the same state/status/event name (e.g. new for --ctstate and assured
for --ctstatus).

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210209/5cc782ae/attachment.html>

More information about the netfilter-buglog mailing list