ovn学习-5-conntrack

conntrack定义

ctstate：INVALID，NEW，ESTABLISHED，RELATED，UNTRACKED，SNAT，DNAT
ctstatus：NONE EXPECTED SEEN_REPLY ASSURED CONFIRMED
ctdir：ORIGINAL REPLY

解释，

1. CONNECTION TRACKING FIELDS in ovs-fields
2. CONFIRMED是当这个包离开系统即是confirmed

tcp in conntrack

TCP协议的状态有，
NONE | SYN_SENT | SYN_RECV | ESTABLISHED | FIN_WAIT | CLOSE_WAIT | LAST_ACK | TIME_WAIT | CLOSE | LISTEN

状态含义:

• NONE: initial state
• SYN_SENT: SYN-only packet seen
• SYN_SENT2: SYN-only packet seen from reply dir, simultaneous open
• SYN_RECV: SYN-ACK packet seen
• ESTABLISHED: ACK packet seen
• FIN_WAIT: FIN packet seen
• CLOSE_WAIT: ACK seen (after FIN)
• LAST_ACK: FIN seen (after FIN)
• TIME_WAIT: last ACK seen
• CLOSE: closed connection (RST)

实例解析

从vm1(on host1)，telnet vm2(on host2) 22端口《vm2里监听22》

packet	vm1	host1	host2	vm2
syn ->	syn_sent	syn_sent	syn_sent	syn_sent -> syn_recv
syn+ack <-	syn_sent -> syn_recv	syn_recv	syn_recv	syn_recv
ack ->	established	established	established	established

syn包

在宿主机上把来自vm2的arp包drop，导致回包在L3->L2时失败。还是过了L3，会经过NF_INET_LOCAL_OUT。
vm1，

tcp      6 108 SYN_SENT src=172.16.255.130 dst=172.16.255.131 sport=41080 dport=22 [UNREPLIED] src=172.16.255.131 dst=172.16.255.130 sport=22 dport=41080 mark=0 use=1

host1，

tcp      6 112 SYN_SENT src=172.16.255.130 dst=172.16.255.131 sport=41080 dport=22 [UNREPLIED] src=172.16.255.131 dst=172.16.255.130 sport=22 dport=41080 mark=0 zone=1 use=1

host2，

tcp      6 114 SYN_SENT src=172.16.255.130 dst=172.16.255.131 sport=41080 dport=22 [UNREPLIED] src=172.16.255.131 dst=172.16.255.130 sport=22 dport=41080 mark=0 zone=1 use=1

vm2，（这里如果没监听，看不到这条记录，应该是回了rst导致的；收到syn包，回复syn+ack包）

1. conntrack -E -e ALL看到的，

   [NEW] tcp      6 120 SYN_SENT src=172.16.255.130 dst=172.16.255.131 sport=41080 dport=22 [UNREPLIED] src=172.16.255.131 dst=172.16.255.130 sport=22 dport=41080
   [UPDATE] tcp      6 60 SYN_RECV src=172.16.255.130 dst=172.16.255.131 sport=41080 dport=22 src=172.16.255.131 dst=172.16.255.130 sport=22 dport=41080

2. tcp      6 57 SYN_RECV src=172.16.255.130 dst=172.16.255.131 sport=41080 dport=22 src=172.16.255.131 dst=172.16.255.130 sport=22 dport=41080 mark=0 use=1

syn+ack包

在vm1里，iptables -A OUTPUT -d vm2 -p tcp –tcp-flags ACK ACK -j DROP
vm2，

tcp      6 22 SYN_RECV src=172.16.255.130 dst=172.16.255.131 sport=41098 dport=22 src=172.16.255.131 dst=172.16.255.130 sport=22 dport=41098 mark=0 use=1

host2，

tcp      6 36 SYN_RECV src=172.16.255.130 dst=172.16.255.131 sport=41098 dport=22 src=172.16.255.131 dst=172.16.255.130 sport=22 dport=41098 mark=0 zone=1 use=1

host1，

tcp      6 19 SYN_RECV src=172.16.255.130 dst=172.16.255.131 sport=41098 dport=22 src=172.16.255.131 dst=172.16.255.130 sport=22 dport=41098 mark=0 zone=1 use=1

vm1《收到syn+ack包，回复ack包》

1. conntrack -E -e ALL看到的，

   [UPDATE] tcp      6 60 SYN_RECV src=172.16.255.130 dst=172.16.255.131 sport=41098 dport=22 src=172.16.255.131 dst=172.16.255.130 sport=22 dport=41098
   [UPDATE] tcp      6 432000 ESTABLISHED src=172.16.255.130 dst=172.16.255.131 sport=41098 dport=22 src=172.16.255.131 dst=172.16.255.130 sport=22 dport=41098 [ASSURED]

2. tcp      6 431989 ESTABLISHED src=172.16.255.130 dst=172.16.255.131 sport=41098 dport=22 src=172.16.255.131 dst=172.16.255.130 sport=22 dport=41098 [ASSURED] mark=0 use=1

ack包

vm1，

tcp      6 431984 ESTABLISHED src=172.16.255.130 dst=172.16.255.131 sport=41102 dport=22 src=172.16.255.131 dst=172.16.255.130 sport=22 dport=41102 [ASSURED] mark=0 use=1

host1，

tcp      6 431987 ESTABLISHED src=172.16.255.130 dst=172.16.255.131 sport=41102 dport=22 src=172.16.255.131 dst=172.16.255.130 sport=22 dport=41102 [ASSURED] mark=0 zone=1 use=1

host2，

tcp      6 431991 ESTABLISHED src=172.16.255.130 dst=172.16.255.131 sport=41102 dport=22 src=172.16.255.131 dst=172.16.255.130 sport=22 dport=41102 [ASSURED] mark=0 zone=1 use=1

vm2，

tcp      6 431997 ESTABLISHED src=172.16.255.130 dst=172.16.255.131 sport=41102 dport=22 src=172.16.255.131 dst=172.16.255.130 sport=22 dport=41102 [ASSURED] mark=0 use=1

tips

• udp，一来一回，就是established，再一来或者一回，就是assured。