RAW has the advantage that it sits before connection tracking and so can handle traffic with less impact on the resources being used.
A big problem is that New connections are hard to detect. So I was thinking do you need connection tracking to know that for sure. The answer is yes.
So what if you turn it around. A connection is New when it not present in the conncetions table.
A problem is then if a connection is marked ‘untracked’. Is that a problem, not to me because Untracked is the same as RAW see those packets at the moment.
If the (New|related|untracked) status could be added to RAW, a new tool could be available to not use Connection tracking (expenseive) to determine if a connection is new (unknown).
Based on source address and for related source addres not tracked port.
Invalid is pure Connection tracking so not for RAW.
I can see if TCP traffic is new in RAW but not for the other protocols. The statefull firewall (connection tracking) will stop or will mark traffic established/related/invalid for Mangle and Filter.
Those other protocols will hit connection tracking and I want to extend connection tracking into RAW to keep attacks in check. This check should only be usable if a specific protocol (own) and destination port or a source port is supplied by the user. This will form a very small surface of blocking for an attack that has also very small surface.
Till now, only the big hammer could be used to block all incoming traffic on that port or from a port that is also commonly used like UDP 53. I can’t see in RAW if it is new traffic or traffic requested from inside of the network. Only connection tracking knows it and instead of checking all those incoming connection if they are in the connection table. Check them against a list only of containing the established (and to upgraded related) connections representing traffic initiated from the inside.
So a very small surface protection aimed at a attack also concentrated on a small entry point excluding traffic not initiated from inside your network.
The very purpose of raw is to do some handling before the packet reaches connection tracking, as connection tracking is quite CPU intensive. So you can only do things in raw which do not need the information provided by connection tracking.
But new, established, related, invalid are not “physical” fields of a packet, they are labels assigned to the packet by the connection tracking. And if the connection tracking module doesn’t receive the first packet of a connection, it cannot start tracking the connection, so it cannot ever label any subsequent packet of that connection as established. Even if it did, the connection-state label is not yet assigned to a packet before connection tracking has seen it, i.e. at the time when it is handled by raw.
Without connection tracking, you could only match on SYN,!ACK in TCP (and probably some equivalent in SCTP) in raw, but there is nothing to match on for UDP and ICMP.
