Questions about the implementation of conntrack in pcn-iptables #244
Description
Hi, guys,
I saw this project in this paper: Securing_Linux_with_a_Faster_and_Scalable_Iptables.
And i have some questions about the implemention of conntrack in iptables.
In section 4.5 Conntrack entry creation:
To identify the connection associated to a packet, bpf-iptables uses the packet 5-tuple (i.e., src/dst IP address, L4 protocol, src/dst L4 port) as key in the conntrack table.
...
This process allows to create a single entry in the conntrack table for both directions, speeding up the lookup process. In addition, together with the new connection state, the Conntrack Update module stores into the conntrack table two additional flags, ip reverse (ipRev) and port reverse (portRev) indicating if the IPs and the L4 ports have been reversed compared to the current packet 5-tuple.
the conntrack process will create a single entry for both directions, but if egress and ingress packets with same flow are handled at the same time, they will update the entry too, and if the packets are handled on the same cpu, then there is no problem, but if they are not on same cpu, will this cause inconsistent state?
In section 4.5 TCP state machine and Conntrack Cleanup:
Finally, when the connection reaches the TIME_WAIT state, only a timeout event or a new SYN will trigger a state change. In the first case the entry is deleted from the conntrack table, otherwise the current packet direction is marked as forward and the new state becomes SYN_SENT.
Conntrack Cleanup. bpf-iptables implements the cleanup of conntrack entries in the control plane, where a dedicated thread checks the presence of expired sessions.
I didn't find the cleanup code of conntrack entries, did i miss something?
And another question, if the control plane finds an expired entry, and decides to delete it, during the operation, the datapath reuses the connection, and updates the entry, after this, the control plane deletes it, how to prevent this?
Thank you.