¡¾×ªÌûLINUX¡¿netfilterÖеÄconntrackÄÚºËÔĶÁ±Ê¼Ç(5)

2008-07-07 22:09
6£¬TCP filterµÄÔ­Àí£º
µ±filterÊÕµ½Ä³¸öÁ¬½ÓµÄµÚÒ»¸ö±¨ÎÄʱ£¬»áΪ¸ÃÁ¬½ÓÔÚÈ«¾ÖÁ¬½Ó±íÖд´½¨Ò»¸ö±íÏ²¢Óñ¨ÎÄÖÐЯ´øµÄÔ´¡¢Ä¿µÄIPºÍ¶Ë¿ÚÕâ¸öËÄÔª×é´´½¨original tupleºÍreply tuple£¬ÕâÁ½¸ötuple·Ö±ð´Ó²»Í¬·½ÏòÀ´±êʶÕâ¸öÁ¬½Ó¡£ºóÐøµÄ±¨ÎÄ»á¸ù¾ÝÆäЯ´øµÄËÄÔª×éÕÒµ½ÏàÓ¦µÄÁ¬½Ó±íÏȻºó¸ù¾Ý±íÏîËù¼Ç¼µÄÀúʷ״̬£¬¼ì²é±¨ÎÄËùЯ´øµÄack¡¢Êý¾ÝÊÇ·ñÓÐЧ¡£
filterͨ¹ý·ÖÎö¸ÃÁ¬½ÓËùÓеÄÀúÊ·±¨ÎÄ£¬¼ÆËã³öackºÍÊý¾ÝÏàÓ¦µÄ×î´ó×îС·§Öµ£¬À´¼ì²éе½´ï±¨ÎÄackºÍÊý¾ÝµÄÓÐЧÐÔ¡£¸ÃÁ¬½ÓÏà¹ØµÄ×î´ó×îС·§ÖµÊǶ¯Ì¬±ä»¯µÄ£¬µ±Ð±¨ÎÄͨ¹ýÓÐЧÐÔ¼ì²éºó£¬·§Öµ½«Ê¹ÓÃб¨ÎÄËùЯ´øµÄÄÚÈÝÖØмÆËã¡£ÔÚÌÖÂÛÈçºÎÈ·Á¢·§ÖµÖ®Ç°£¬ÏÈÀ´¿´¼¸ÌõÔ¼¶¨¡£¼ÙÉèAºÍBÖ®¼äµÄ±¨ÎĶ¼¾­¹ýfilter£¬ÄÇô£º
l          filter¿ÉÒÔ¿´µ½A¡¢BÖ®¼äµÄËùÓб¨ÎÄÊý¾Ý£»
l          filter¿ÉÒÔ¿´µ½Ã¿¸ö±¨ÎÄÖÐËùÉùÃ÷µÄ´°¿Ú´óС£»
l          Èç¹ûB·¢Ë͵ı¨ÎĵÄACK±ê־λÖÃ룬ÇÒACK = n£¬ÄÇôfilter¿ÉÒÔÈÏΪBÒѽÓÊÕµ½µÄAÊý¾Ý£¬Æ䳤¶ÈÖÁÉÙΪn¡£
 
1£©£¬Á¬½ÓÏîÖе±Ç°ÓÐЧÊý¾Ý±ß½çµÄÈ·Á¢£º
¼ÙÉèAÏòB·¢Ë͵ı¨ÎÄÖУ¬Ëùº¬Êý¾Ý¶ÎΪ[seq,seq + len)£¬¼´±¨ÎÄËùº¬Êý¾ÝÆðʼSEQΪseq£¬Êý¾Ý³¤¶ÈΪlen¡£ÓÉÓÚAËù·¢Ë͵ı¨Îij¤¶È²»Äܳ¬¹ýBµ±Ç°´°¿ÚËùÄÜÈÝÄɵĴóС£¬Òò´ËÓÐЧÊý¾ÝµÄÉÏÏÞΪ£º
A :seq + len <= B : max { ack + max{win£¬1}} (I)
AËù·¢³ö±¨ÎÄÊý¾ÝµÄ×î´óÐòºÅ£¬Òª²»´óÓÚ´ÓB½ÓÊÕµ½µÄACK + max{win,1}µÄ×î´óÖµ¡£Ö®ËùÒÔÈ¡×î´óÖµ¶ø²»Ê¹ÓÃ×î½ü½ÓÊÕµ½µÄ±¨ÎĵÄÖµ£¬ÊÇÒòΪ±¨Îĵĵ½´ïÊÇÎÞÐòµÄ£¬½ÏСµÄ±¨ÎÄÓпÉÄÜÒòΪÆäËûÔ­Òò½ÏÍíµ½´ï¡£ÁíÍ⣬ÓÉÓÚ±¨ÎÄͨ¸æµÄ´°¿Ú´óСÓпÉÄÜΪ0£¬ÕâÖÖÇé¿öÏ£¬TCPµÄ¼á³Ö¶¨Ê±Æ÷ÔÊÐíA¼ä¸ôµØ·¢Ëͳ¤¶ÈΪ1µÄ´°¿Ú̽²â±¨ÎÄ£¬Òò´ÎÓÐЧÊý¾ÝµÄÉÏÏÞÐè²ÉÓÃmax{ win, 1}¡£ÉÏÏÞµÄÉèÖ㬿ÉÒÔ·ÀÖ¹BÊÕµ½³¬¹ýÆä´°¿Ú´óСµÄ±¨ÎÄ£¬filter¿ÉÒÔ½«Õⲿ·Ö±¨ÎÄÖ±½Ó¶ªÆú¶ø²»ÔÙת·¢µ½B¡£
ÓÐЧÊý¾ÝµÄÏÂÏÞ£º
A : seq >= A : max{ seq + len} – B : max{ max{ win, 1}} (II)
¼ÙÉèBµÄ×î´ó´°¿Ú´óСΪn£¬ÄÇôB¶Ë×î¶à¿ÉÒÔ»º´æn¸öAµÄ±¨ÎÄ£¬ÒòΪA¶ËËù·¢Ë͵ı¨ÎÄ×î¶àÓÐn¸öÉÐδȷÈÏ£¬¶ÔÓÚÒѾ­È·Èϵı¨ÎÄÔÙ´ÎÖØ·¢ÊÇûÓÐÒâÒåµÄ¡£
 
2£©£¬Á¬½ÓÏîÖе±Ç°ÓÐЧACK±ß½çµÄÈ·Á¢£º
ÒòΪA²»¿ÉÄÜΪÆäδÊÕµ½µÄÊý¾Ý½øÐÐÈ·ÈÏ£¬ËùÒÔ±¨Î