Connection Tracking System

From nftables wiki
Revision as of 03:57, 13 April 2021 by Fmyhr (talk | contribs) (References: added Debian manpages for conntrack and conntrackd.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

nftables uses netfilter's Connection Tracking system (often referred to as conntrack or ct) to associate network packets with connections and the states of those connections. An nftables ruleset performs stateful firewalling by applying policy based on whether or not packets are valid parts of tracked connections.

nftables also frequently performs network address translation using Netfilter's NAT engine, which is itself built on top of conntrack. You can use nft to configure NAT.

conntrack and nftables (and NAT) are technically distinct components of netfilter. Even so, conntrack is so often used together with nftables that it's worth including an overview and references to further documentation about it here.

Conntrack sysfs variables

References

Reference Description
Netfilter's Connection Tracking System, Pablo Neira Ayuso, ;login: Vol. 31 No. 3, 2006 Connection Tracking design and implementation details.
Netfilter Connection Tracking and NAT Implementation, Magnus Boye, Aalto University School of Electrical Engineering, 2012 More details of conntrack internals. Also delves into netfilter NAT and some of its potential vulnerabilities.
conntrack-tools documentation The conntrack command line tool lets you inspect and maintain currently tracked connections.

The conntrackd daemon adds support for userspace connection tracking helpers for additional L7 protocols, including DHCPv6, MDNS, SLP, SSDP, RPC, NFSv3, and Oracle TNS.
Note: Unfortunately it seems the online documentation here is not kept up to date. See Debian man pages below for more recent documentation.

Debian man conntrack

Debian man conntrackd

Recent man pages for conntrack-tools, courtesy of Debian.
The state machine, Ch. 7 of Oskar Andreasson's Iptables Tutorial Detailed introduction to conntrack, albeit using legacy iptables and /proc/net/ip_conntrack (now replaced by nftables and conntrack command, respectively).