Connection Tracking System
nftables uses netfilter's Connection Tracking system (often referred to as conntrack or ct) to associate network packets with connections and the states of those connections. An nftables ruleset performs stateful firewalling by applying policy based on whether or not packets are valid parts of tracked connections.
conntrack and nftables (and NAT) are technically distinct components of netfilter. Even so, conntrack is so often used together with nftables that it's worth including an overview and references to further documentation about it here.
|Netfilter's Connection Tracking System, Pablo Neira Ayuso, ;login: Vol. 31 No. 3, 2006||Connection Tracking design and implementation details.|
|Netfilter Connection Tracking and NAT Implementation, Magnus Boye, Aalto University School of Electrical Engineering, 2012||More details of conntrack internals. Also delves into netfilter NAT and some of its potential vulnerabilities.|
|conntrack-tools documentation||The conntrack command line tool lets you inspect and maintain currently tracked connections.
The conntrackd daemon adds support for userspace connection tracking helpers for additional L7 protocols, including DHCPv6, MDNS, SLP, SSDP, RPC, NFSv3, and Oracle TNS.
|Debian man conntrack||Recent man pages for conntrack-tools, courtesy of Debian.|
|The state machine, Ch. 7 of Oskar Andreasson's Iptables Tutorial||Detailed introduction to conntrack, albeit using legacy iptables and /proc/net/ip_conntrack (now replaced by nftables and conntrack command, respectively).|