2020年8月15日 · Conntrack functionality is a Linux kernel module, and it is often included in the kernel in default configuration. Conntrack operation can be tuned by adjusting net.netfilter.nf_conntrack sysctl values. Your second alternative is what happens.

2017年4月20日 · The program reads its information from /proc/net/ip_conntrack or /proc/net/nf_conntrack, which is the temporary conntrack-storage of netfilter. You just need to take care of logging its output and monitoring it.

2022年10月18日 · When such a packet arrives, it sets a flag on the packet, that is belongs to some "known" connection. Then, the -m conntrack --ctstate ESTABLISHED in the firewall uses that flag and it will match any of those "known" packets. This way, you can match precisely replies to your outgoing packets, without even knowing in advance what they are, at ...

2011年11月7日 · Conntrack just enables you to view and manipulate the stateful data about connections. It doesn't manipulate the the TCP packets flowing as part of that ssh connection. If you want to break the ssh session, and you just delete that connection's state data, a new connection will begin being tracked.

I'm trying to get outgoing IPv6 routing going, my issue is, that conntrack is not working correctly. I've dumped the traffic via tcpdump, which shows me that the packets go outside (e.g. internal interface -> router -> isp) and that I receive a response (isp -> router).

2024年4月24日 · "nf_conntrack: table full, dropping packet" even though nf_conntrack_count is much less than nf_conntrack_max I have a node in our cluster which gets lots of "nf_conntrack: table full, dropping packet" messages in the syslog.

So, to answer the question, conntrack is for use with the conntrack toolkit and supersedes state in this regard. It is better than state if you are planning on using the conntrack tool kit. Connection tracking is on for traffic flows, it constantly tries to match flows to rules. The answer that follows for question 2 is, yes, use conntrack

The reply by Ethan Xu is one solution, but if you don't want to load nf_conntrack at boot, you can set nf_conntrack_max later upon module load, as documented by sysctl and already proposed in a systemd issue:

options nf_conntrack_ftp ports=21 It tells the nf_conntrack_ftp module to expect FTP control traffic specifically in port 21. It used to be the default, but I think the defaults were removed in favor of explicit configuration, back in year 2012 or so.

2021年8月3日 · As Netfilter and conntrack know nothing about routing (the conntrack lookup table includes only addresses) they must be taught to consider these flows separately by adding a zone property manually tied to the routing topology in the conntrack lookup table. (Here's an LWN link when the feature was originally proposed.)