Difference between revisions of "Connection Tracking System"

Revision as of 14:12, 15 February 2021

nftables, like iptables before it, uses netfilter's connection tracking system (often referred to as conntrack or ct) to identify network packets as belonging to new, established, related, dying, or recently-closed connections. nftables and conntrack are frequently used together to create stateful firewalls and to perform network address translation (NAT). Although they are technically distinct components of netfilter, they are so often used together that it's highly relevant to collect some links to conntrack documentation here:

Reference	Description
Netfilter's Connection Tracking System, Pablo Neira Ayuso, ;login: Vol. 31 No. 3, 2006	conntrack design and implementation details
conntrack-tools documentation	the conntrack command line tool lets you inspect and maintain currently tracked connections
The state machine, Ch. 7 of Oskar Andreasson's Iptables Tutorial	Detailed introduction to conntrack, albeit using legacy iptables and /proc/net/ip_conntrack (now replaced by nftables and conntrack command, respectively).

@@ Line 13: / Line 13: @@
 | [http://conntrack-tools.netfilter.org/support.html conntrack-tools documentation]
 | the ''conntrack'' command line tool lets you inspect and maintain currently tracked connections
+|- style="vertical-align:top;"
+| [https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#STATEMACHINE ''The state machine'', Ch. 7 of Oskar Andreasson's ''Iptables Tutorial'']
+| Detailed introduction to conntrack, albeit using legacy iptables and /proc/net/ip_conntrack (now replaced by nftables and ''conntrack'' command, respectively).
 |}

Difference between revisions of "Connection Tracking System"

Revision as of 14:12, 15 February 2021

Navigation menu

Search