Connection Tracking System: Difference between revisions

From nftables wiki
Jump to navigation Jump to search
(Added brief conntrackd description)
(Added link to Magnus Boye's paper, improved intro text.)
Line 1: Line 1:
nftables, like iptables before it, uses netfilter's connection tracking system (often referred to as ''conntrack'' or ''ct'') to identify network packets as belonging to new, established, related, dying, or recently-closed connections. nftables and conntrack are frequently used together to create [https://en.wikipedia.org/wiki/Stateful_firewall stateful firewalls] and to perform [https://en.wikipedia.org/wiki/Network_address_translation network address translation (NAT)]. Although they are technically distinct components of [https://www.netfilter.org/ netfilter], they are so often used together that it's highly relevant to collect some links to ''conntrack'' documentation here:
nftables, like iptables before it, uses netfilter's Connection Tracking system (often referred to as ''conntrack'' or ''ct'') to identify network packets as belonging to new, established, related, dying, or recently-closed connections. nftables and conntrack are frequently used together to create [https://en.wikipedia.org/wiki/Stateful_firewall stateful firewalls]. In addition, netfilter's [https://en.wikipedia.org/wiki/Network_address_translation network address translation (NAT)] engine ([[Performing_Network_Address_Translation_(NAT) | which you can use ''nft'' to configure]]) is built on top of conntrack. Although these are technically distinct components of [https://www.netfilter.org/ netfilter], they are so often used together that it's highly relevant to collect some links to ''conntrack'' documentation here:


{| class="wikitable"
{| class="wikitable"
Line 8: Line 8:
|- style="vertical-align:top;"
|- style="vertical-align:top;"
| [http://people.netfilter.org/pablo/docs/login.pdf  ''Netfilter's Connection Tracking System'', Pablo Neira Ayuso, ;login: Vol. 31 No. 3, 2006]
| [http://people.netfilter.org/pablo/docs/login.pdf  ''Netfilter's Connection Tracking System'', Pablo Neira Ayuso, ;login: Vol. 31 No. 3, 2006]
| conntrack design and implementation details
| Connection Tracking design and implementation details.
 
|- style="vertical-align:top;"
| [https://wiki.aalto.fi/download/attachments/69901948/netfilter-paper.pdf ''Netfilter Connection Tracking and NAT Implementation'', Magnus Boye, Aalto University School of Electrical Engineering, 2012]
| More details of conntrack internals. Also delves into netfilter NAT and some of its potential vulnerabilities.


|- style="vertical-align:top;"
|- style="vertical-align:top;"

Revision as of 22:52, 15 February 2021

nftables, like iptables before it, uses netfilter's Connection Tracking system (often referred to as conntrack or ct) to identify network packets as belonging to new, established, related, dying, or recently-closed connections. nftables and conntrack are frequently used together to create stateful firewalls. In addition, netfilter's network address translation (NAT) engine ( which you can use nft to configure) is built on top of conntrack. Although these are technically distinct components of netfilter, they are so often used together that it's highly relevant to collect some links to conntrack documentation here:

Reference Description
Netfilter's Connection Tracking System, Pablo Neira Ayuso, ;login: Vol. 31 No. 3, 2006 Connection Tracking design and implementation details.
Netfilter Connection Tracking and NAT Implementation, Magnus Boye, Aalto University School of Electrical Engineering, 2012 More details of conntrack internals. Also delves into netfilter NAT and some of its potential vulnerabilities.
conntrack-tools documentation The conntrack command line tool lets you inspect and maintain currently tracked connections.

The conntrackd daemon adds support for userspace connection tracking helpers for additional L7 protocols, including DHCPv6, MDNS, SLP, SSDP, RPC, NFSv3, and Oracle TNS.

The state machine, Ch. 7 of Oskar Andreasson's Iptables Tutorial Detailed introduction to conntrack, albeit using legacy iptables and /proc/net/ip_conntrack (now replaced by nftables and conntrack command, respectively).