I'm asking a Linux question here because the issue only ever comes up when running Linux as ECMP transit devices, and I expect I'll get lectured about how TCP handshakes work over in sysadmintown.
I'm looking at an ECMP topology with parallel paths through Linux-based routers. Interfaces have some iptables incantations including -m state --state ESTABLISHED associated with them.
So, the question is, is the state module's ESTABLISHED keyword like the Cisco ACL equivalent, where it really means "any TCP segment with ACK bit set", or is the state module maintaining a flow table and matching incoming traffic against established flows?
As far as I can tell, the relevant setting is in /proc/sys/net/netfilter/nf_conntrack_tcp_loose. Enabling the flag here causes the conntrack feature (implicit with the iptables state module, I guess?) to automatically track stray (non-SYN) flows as they arrive. That's close, I guess, but I think I'd rather see truly stateless behavior like the Cisco ACL model.
Thoughts? Anybody been down this road before?
No comments:
Post a Comment