# Connection Tracker sources



## teiclap (Feb 1, 2021)

Hi,
I'd wish to read and understand the source code used for tracking connection and feeding NAT.
May someone point me to the right place in the source tree?

Thanks,
Claudio


----------



## mark_j (Feb 2, 2021)

If I understand you correctly, you're asking for the in-kernel NAT implementation?
First, read this:
Handbook (Section 31.4.4).
Second, look at the source in sys/contrib/ipfilter for all the stuff you want.
Third, read the manual page: ipnat(4)


----------



## Mjölnir (Feb 2, 2021)

IIRC ipfilter(5) is one of three different IP filters that come with FreeBSD; I guess ipfilter(5) is the least relevant (loosely speaking; in term of usage); this doesn't mean it's worse than the others.  The native (default, so to say) is ipfw(8), and many folks use pf(4) because it's syntax is of the historic OpenBSD version and allows to copy&paste rules from Books & the internet.
When reading through the docs & sources, keep that in mind & don't apply infos about A on B or C . IIUC ipnat(4) belongs to ipfilter(4), but that part (NAT) is also used by ipfw(4).


----------



## teiclap (Feb 4, 2021)

Thank you,
I have seen that specific connection trackers are located in sys/contrib/ipfilter, for instance the ftp tracker is ip_ftp_pxy.c
The code is clean and easy to understand.
I found nothing related to sctp there, is it handled somewhere else?
I am interested in the sctp tracker state machine.


----------



## SirDice (Feb 4, 2021)

"connection tracker" is a typical Linux IPTables name and construct.


----------



## mark_j (Feb 4, 2021)

teiclap said:


> Thank you,
> I have seen that specific connection trackers are located in sys/contrib/ipfilter, for instance the ftp tracker is ip_ftp_pxy.c
> The code is clean and easy to understand.
> I found nothing related to sctp there, is it handled somewhere else?
> I am interested in the sctp tracker state machine.


Maybe you should have mentioned this key bit of information? 
Did you look on github? It takes 10 seconds to find the code. Anyway, netinet/libalias/alias_sctp.c. HTH.


----------



## teiclap (Feb 4, 2021)

Thanks a lot.
I see that alias sctp implements a full-state design, it does validation and parsing of chunks.
In theory, there's no need for having a copy of sctp state machine here, nor to parse the sctp chunks.
It's just enough to create the nat entry if not existing based on source IP, destination IP, source port and destination port and keep a timer for cleaning the entry when the association is gone.
I wonder if it would be accepted a stateless sctp alias implementation.


----------



## mark_j (Feb 4, 2021)

You can submit suggestions to the IETF if you want.


----------

