Community discussions

MikroTik App
 
Guscht
Member Candidate
Member Candidate
Topic Author
Posts: 236
Joined: Thu Jul 01, 2010 5:32 pm

Connection State New vs. Invalid

Sun May 08, 2022 7:50 pm

Hi,

can someone please explain the difference between the two connection states?

MT states:
NEW - The NEW state tells us that the packet is the first packet that we see. This means that the first packet that the conntrack module sees, within a specific connection, will be matched. For example, if we see an SYN packet and it is the first packet in a connection that we see, it will match;
INVALID - The INVALID state means that the packet can't be identified or that it does not have any state. It is suggested to DROP everything in this state;

If a packets enters from WAN-side to the Input-Chain. How can the router determine/decide the packet is INVALID vs. NEW?
For the router, the invalid packet is new at the same time (new, does not belong to an already connection and invalid because it cant be identified -> because its new).
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Connection State New vs. Invalid

Sun May 08, 2022 8:14 pm

Normally, a packet is attributed with connection state invalid if it does not match the expected state of a connection. But such analysis is only possible for protocols that are stateful on their own, such as TCP or SCTP. So a UDP packet can never be attributed with invalid as the very first packet with a tuple of (source IP address, source port, destination IP address, destination port) that is unknown to the connection tracking module is always new, and any subsequent packet with the same or mirrored combination of addresses and ports is established. A "first ever" TCP packet must contain a SYN flag, no other flags, and no payload in order to be considered new, otherwise it is invalid. But to make things more complicated, if loose-tcp-tracking is set to yes, which is the default, this in-depth analysis of TCP is skipped.

Unfortunately, there are also bugs. So after some security patch at 6.45.something, initial GRE packets started being considered invalid unless PPTP helper is enabled. I'm not aware of this to be fixed ever since then.
 
Guscht
Member Candidate
Member Candidate
Topic Author
Posts: 236
Joined: Thu Jul 01, 2010 5:32 pm

Re: Connection State New vs. Invalid

Sun May 08, 2022 8:37 pm

Thats interesting! Is this somewhere written? Even in the iptables manpage, it is decribed very vague. Your argumentation makes sense to me.

I tried the follwing, Router pings 8.8.8.8, in the RAW/Output-Chain, I set ICMP to action=notrack. So the outgoing ICMP echo request is not tracked. The returning ICMP echo reply from 8.8.8.8 matches with the invalid-rule (Filter/Input-Chain).

Does the Invalid-Matcher here takes into account a ICMP echo reply cant be valid if there is no Tracking-Entry from the outgoing/inital echo request? ICMP works portless, so there is only the (initial) internal source IP compared against the (initial) destination IP and this is turned around/checked for the incoming ICMP reply. Or I am here totally wrong?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Connection State New vs. Invalid

Sun May 08, 2022 9:04 pm

Thats interesting! Is this somewhere written?
The only description I have found is at https://thermalcircle.de/doku.php?id=bl ... d_examples (search for --ctstate INVALID on that page).

Does the Invalid-Matcher here takes into account a ICMP echo reply cant be valid if there is no Tracking-Entry from the outgoing/inital echo request?
To be precise, it's not an "Invalid-Matcher" that takes this into account - it is the conntrack module that does, and expresses the result as an attribute of the packet which then the connection-state matcher looks at later on. Otherwise yes, this is a good example of an invalid packet.

ICMP works portless, so there is only the (initial) internal source IP compared against the (initial) destination IP and this is turned around/checked for the incoming ICMP reply.
Again, just a little bit of precision - the conntrack module doesn't care about "local" and "other" addresses, so it always checks both the source and the destination one. Also, ICMP echo responses are matched to ICMP echo requests not only by addresses but also by an ICMP header field called Identifier (not to be confused with the Identification field of the IP header) - this allows to run multiple ping sequences between the same pair of addresses without mutual interference.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connection State New vs. Invalid

Mon May 09, 2022 2:54 pm

State invalid in the input chain and forward chain checks actually very little if TCP connection tracking is set to "loose tracking" off, which is the default.
To give the invalid state more teeth set TCP connection tracking to "strict tracking".

From Sindy: paraphrasing ---> "if a TCP packet with a given unique combination of source and destination addresses and ports does not match any existing connection, it is new if it contains the SYN flag (and has zero payload length), otherwise it is invalid. In other words, with TCP tracking set to "strict", the router at the INVALID RULE, looks at all new packets and specifically at the TCP portion of the new packet ( the first packet of a new session!).

...............
strict.jpg
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: eworm, Kanzler and 82 guests