sctp - SCTP conntrack不跟踪init块类型吗？(SCTP conntrack does not track init chunk types?)

Question

Welcome To Ask or Share your Answers For Others

sctp - SCTP conntrack不跟踪init块类型吗？(SCTP conntrack does not track init chunk types?)

posted Mar 6, 2021 in Technique[技术] by 深蓝 (71.8m points)

sctp - SCTP conntrack不跟踪init块类型吗？(SCTP conntrack does not track init chunk types?)

I have followed a simple SCTP server and SCTP client at http://simplestcodings.blogspot.com/2010/08/sctp-server-client-implementation-in-c.html

(我在http://simplestcodings.blogspot.com/2010/08/sctp-server-client-implementation-in-c.html上关注了一个简单的SCTP服务器和SCTP客户端。)

It works well.

(它运作良好。)

Client and server can communicate successfully.

(客户端和服务器可以成功通信。)

Then I tried to set up an iptable rule to drop INIT package on server node

(然后，我尝试设置一个iptable规则以在服务器节点上删除INIT包)

iptables -A INPUT -p sctp  -m conntrack --ctstate NEW -m sctp
--chunk-types any INIT -j DROP

It can drop and connection cannot establish from client anymore.

(它会掉线，无法再从客户端建立连接。)

However, when I tried to drop INIT_ACK sent from server by

(但是，当我尝试删除服务器发送的INIT_ACK时，)

iptables -A OUTPUT -p sctp -m conntrack --ctstate NEW -m sctp --chunk-types any INIT_ACK -j DROP

(iptables -A输出-p sctp -m conntrack --ctstate新-m sctp --chunk-types任何INIT_ACK -j DROP)

looks like it cannot drop INIT_ACK and connection from client is setup well.

(看起来它无法删除INIT_ACK，并且来自客户端的连接设置正确。)

Could you please tell me if SCTP conntrack can drop INIT_ACK, COOKIE_ACK?

(您能否告诉我SCTP conntrack是否可以删除INIT_ACK，COOKIE_ACK？)

My conntrack log does not show any INIT, INIT_ACK, COOKIE_ACK

(我的conntrack日志未显示任何INIT，INIT_ACK，COOKIE_ACK)

[NEW] sctp     132 3 src=199.569.9.50 dst=199.569.9.51 sport=57295
dport=62324 [UNREPLIED] src=199.569.9.51 dst=199.569.9.50 sport=62324
dport=57295
[UPDATE] sctp     132 3 src=199.569.9.50 dst=199.569.9.51 sport=57295
dport=62324 src=199.569.9.51 dst=199.569.9.50 sport=62324 dport=57295
[UPDATE] sctp     132 3 COOKIE_ECHOED src=199.569.9.50
dst=199.569.9.51 sport=57295 dport=62324 src=199.569.9.51
dst=199.569.9.50 sport=62324 dport=57295
[UPDATE] sctp     132 432000 ESTABLISHED src=199.569.9.50
dst=199.569.9.51 sport=57295 dport=62324 src=199.569.9.51
dst=199.569.9.50 sport=62324 dport=57295 [ASSURED]

Is it expected?

(是预期的吗？)

In tcp, conntrack log can show SYN_SENT/ SYN_RECEIVED.

(在tcp中，conntrack日志可以显示SYN_SENT / SYN_RECEIVED。)

Many thanks, Naruto

(非常感谢，鸣人)

ask by Naruto Nguyen translate from so

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

Categories

sctp - SCTP conntrack不跟踪init块类型吗？(SCTP conntrack does not track init chunk types?)

sctp - SCTP conntrack不跟踪init块类型吗？(SCTP conntrack does not track init chunk types?)

Please log in or register to add a comment.

Please log in or register to reply this article.

1 Reply

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags