Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
352 views
in Technique[技术] by (71.8m points)

sctp - SCTP conntrack不跟踪init块类型吗?(SCTP conntrack does not track init chunk types?)

I have followed a simple SCTP server and SCTP client at http://simplestcodings.blogspot.com/2010/08/sctp-server-client-implementation-in-c.html

(我在http://simplestcodings.blogspot.com/2010/08/sctp-server-client-implementation-in-c.html上关注了一个简单的SCTP服务器和SCTP客户端。)

It works well.

(它运作良好。)

Client and server can communicate successfully.

(客户端和服务器可以成功通信。)

Then I tried to set up an iptable rule to drop INIT package on server node

(然后,我尝试设置一个iptable规则以在服务器节点上删除INIT包)

iptables -A INPUT -p sctp  -m conntrack --ctstate NEW -m sctp
--chunk-types any INIT -j DROP

It can drop and connection cannot establish from client anymore.

(它会掉线,无法再从客户端建立连接。)

However, when I tried to drop INIT_ACK sent from server by

(但是,当我尝试删除服务器发送的INIT_ACK时,)

iptables -A OUTPUT -p sctp -m conntrack --ctstate NEW -m sctp --chunk-types any INIT_ACK -j DROP

(iptables -A输出-p sctp -m conntrack --ctstate新-m sctp --chunk-types任何INIT_ACK -j DROP)

looks like it cannot drop INIT_ACK and connection from client is setup well.

(看起来它无法删除INIT_ACK,并且来自客户端的连接设置正确。)

Could you please tell me if SCTP conntrack can drop INIT_ACK, COOKIE_ACK?

(您能否告诉我SCTP conntrack是否可以删除INIT_ACK,COOKIE_ACK?)

My conntrack log does not show any INIT, INIT_ACK, COOKIE_ACK

(我的conntrack日志未显示任何INIT,INIT_ACK,COOKIE_ACK)

[NEW] sctp     132 3 src=199.569.9.50 dst=199.569.9.51 sport=57295
dport=62324 [UNREPLIED] src=199.569.9.51 dst=199.569.9.50 sport=62324
dport=57295
[UPDATE] sctp     132 3 src=199.569.9.50 dst=199.569.9.51 sport=57295
dport=62324 src=199.569.9.51 dst=199.569.9.50 sport=62324 dport=57295
[UPDATE] sctp     132 3 COOKIE_ECHOED src=199.569.9.50
dst=199.569.9.51 sport=57295 dport=62324 src=199.569.9.51
dst=199.569.9.50 sport=62324 dport=57295
[UPDATE] sctp     132 432000 ESTABLISHED src=199.569.9.50
dst=199.569.9.51 sport=57295 dport=62324 src=199.569.9.51
dst=199.569.9.50 sport=62324 dport=57295 [ASSURED]

Is it expected?

(是预期的吗?)

In tcp, conntrack log can show SYN_SENT/ SYN_RECEIVED.

(在tcp中,conntrack日志可以显示SYN_SENT / SYN_RECEIVED。)

Many thanks, Naruto

(非常感谢,鸣人)

  ask by Naruto Nguyen translate from so

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)
等待大神答复

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...