Connection Tracking System: Difference between revisions

From nftables wiki
Jump to navigation Jump to search
(Added Oskar Andreasson's detailed into to conntrack)
(References: added Debian manpages for conntrack and conntrackd.)
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
nftables, like iptables before it, uses netfilter's connection tracking system (often referred to as ''conntrack'' or ''ct'') to identify network packets as belonging to new, established, related, dying, or recently-closed connections. nftables and conntrack are frequently used together to create [https://en.wikipedia.org/wiki/Stateful_firewall stateful firewalls] and to perform [https://en.wikipedia.org/wiki/Network_address_translation network address translation (NAT)]. Although they are technically distinct components of [https://www.netfilter.org/ netfilter], they are so often used together that it's highly relevant to collect some links to ''conntrack'' documentation here:
nftables uses netfilter's Connection Tracking system (often referred to as ''conntrack'' or ''ct'') to associate network packets with connections and the states of those connections. An nftables ruleset performs [https://en.wikipedia.org/wiki/Stateful_firewall stateful firewalling] by applying policy based on whether or not packets are valid parts of tracked connections.
 
nftables also frequently performs [https://en.wikipedia.org/wiki/Network_address_translation network address translation] using Netfilter's NAT engine, which is itself built on top of conntrack. You can [[Performing_Network_Address_Translation_(NAT)|use ''nft'' to configure NAT]].
 
conntrack and nftables (and NAT) are technically distinct components of [https://www.netfilter.org/ netfilter]. Even so, conntrack is so often used together with nftables that it's worth including an overview and references to further documentation about it here.
 
= [https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git/tree/Documentation/networking/nf_conntrack-sysctl.rst Conntrack sysfs variables] =
 
 
= References =


{| class="wikitable"
{| class="wikitable"
Line 8: Line 17:
|- style="vertical-align:top;"
|- style="vertical-align:top;"
| [http://people.netfilter.org/pablo/docs/login.pdf  ''Netfilter's Connection Tracking System'', Pablo Neira Ayuso, ;login: Vol. 31 No. 3, 2006]
| [http://people.netfilter.org/pablo/docs/login.pdf  ''Netfilter's Connection Tracking System'', Pablo Neira Ayuso, ;login: Vol. 31 No. 3, 2006]
| conntrack design and implementation details
| Connection Tracking design and implementation details.
 
|- style="vertical-align:top;"
| [https://wiki.aalto.fi/download/attachments/69901948/netfilter-paper.pdf ''Netfilter Connection Tracking and NAT Implementation'', Magnus Boye, Aalto University School of Electrical Engineering, 2012]
| More details of conntrack internals. Also delves into netfilter NAT and some of its potential vulnerabilities.


|- style="vertical-align:top;"
|- style="vertical-align:top;"
| [http://conntrack-tools.netfilter.org/support.html conntrack-tools documentation]
| [http://conntrack-tools.netfilter.org/support.html conntrack-tools documentation]
| the ''conntrack'' command line tool lets you inspect and maintain currently tracked connections
| The ''conntrack'' command line tool lets you inspect and maintain currently tracked connections.
The ''conntrackd'' daemon adds support for userspace connection tracking helpers for additional L7 protocols, including DHCPv6, MDNS, SLP, SSDP, RPC, NFSv3, and Oracle TNS.<br>
'''Note''': Unfortunately it seems the online documentation here is not kept up to date. See Debian man pages below for more recent documentation.
 
|- style="vertical-align:top;"
| [https://manpages.debian.org/unstable/conntrack/conntrack.8.en.html Debian man conntrack]
[https://manpages.debian.org/unstable/conntrackd/conntrackd.8.en.html Debian man conntrackd]
| Recent man pages for conntrack-tools, courtesy of Debian.


|- style="vertical-align:top;"
|- style="vertical-align:top;"

Latest revision as of 02:57, 13 April 2021

nftables uses netfilter's Connection Tracking system (often referred to as conntrack or ct) to associate network packets with connections and the states of those connections. An nftables ruleset performs stateful firewalling by applying policy based on whether or not packets are valid parts of tracked connections.

nftables also frequently performs network address translation using Netfilter's NAT engine, which is itself built on top of conntrack. You can use nft to configure NAT.

conntrack and nftables (and NAT) are technically distinct components of netfilter. Even so, conntrack is so often used together with nftables that it's worth including an overview and references to further documentation about it here.

Conntrack sysfs variables

References

Reference Description
Netfilter's Connection Tracking System, Pablo Neira Ayuso, ;login: Vol. 31 No. 3, 2006 Connection Tracking design and implementation details.
Netfilter Connection Tracking and NAT Implementation, Magnus Boye, Aalto University School of Electrical Engineering, 2012 More details of conntrack internals. Also delves into netfilter NAT and some of its potential vulnerabilities.
conntrack-tools documentation The conntrack command line tool lets you inspect and maintain currently tracked connections.

The conntrackd daemon adds support for userspace connection tracking helpers for additional L7 protocols, including DHCPv6, MDNS, SLP, SSDP, RPC, NFSv3, and Oracle TNS.
Note: Unfortunately it seems the online documentation here is not kept up to date. See Debian man pages below for more recent documentation.

Debian man conntrack

Debian man conntrackd

Recent man pages for conntrack-tools, courtesy of Debian.
The state machine, Ch. 7 of Oskar Andreasson's Iptables Tutorial Detailed introduction to conntrack, albeit using legacy iptables and /proc/net/ip_conntrack (now replaced by nftables and conntrack command, respectively).