conntrack-tools

Software Screenshot:
conntrack-tools
Software Details:
Version: 1.4.1
Upload Date: 20 Feb 15
Developer: Harald Welte
Distribution Type: Freeware
Downloads: 7
Download

Rating: 5.0/5 (Total Votes: 1)

conntrack-tools offers a set of free software userspace tools for Linux that allow system administrators to interact with the Connection Tracking System, which is the module that provides stateful packet inspection for iptables. The conntrack-tools are the userspace daemon conntrackd and the command line interface conntrack.

Why use the conntrack-tools?

The userspace daemon conntrackd can be used to enable high availability cluster-based stateful firewalls and collect statistics of the stateful firewall use. The command line interface conntrack provides a more flexible interface to the connnection tracking system than /proc/net/ip_conntrack.

What can do the conntrack-tools for me?

Lots of cool things. conntrackd covers the specific aspects of stateful Linux firewalls to enable high availability solutions and it can be used as statistics collector of the firewall use as well. The command line interface conntrack provides an interface to add, delete and update flow entries, list current active flows in plain text/XML, current IPv4 NAT'ed flows, reset counters atomically, flush the connection tracking table and monitor connection tracking events among many other.

So, does conntrackd provides an equivalent of OpenBSD's pfsync?

Yes. conntrackd synchronizes the states among several replica firewalls, so you can deploy failover setups with stateful Linux firewalls. See the support section for more information. However, conntrackd can be also used to collect statistics of the stateful firewall use.

Why use the command line tool conntrack instead of /proc/net/ip_conntrack?

There are several good reasons to do so. The /proc interface offers a quite limited interface to the Connection Tracking System since it only allows you to dump current active network flows. Instead, conntrack allows you to update network flows without adding a new iptables rule, e.g. update the conntrack mark, or dump the connection tracking table in XML format. Moreover, using the /proc interface to dump the connection tracking table under very busy firewalls, i.e. those with tons of connection states, harms performance. Specifically, this becomes a problem if you poll from the /proc interface to get firewall statistics. Also, conntrack offers connection events monitoring which a feature that the /proc interface does not provide.

Can I use conntrack to cut established TCP connections?

Yes. You can use conntrack to kill an established TCP connection without adding an iptables rule. Of course, you require a sane stateful ruleset which would block a packet that does not match any existing entry in the Connection Tracking Table. Basically, the idea consists of removing the entry that talks about the victim TCP connection. Thus, the client experiences a connection hang. Moreover, since conntrack is not dependent of the layer 4 protocol, you can use to kill whatever layer 4 network flow (UDP, SCTP, ...).

What is new in this release:

  • This version adds support to dump the "dying" and "unconfirmed" list via ctnetlink.
  • A deadlock due to wrong nested signal blocking was resolved.

What is new in version 1.4.0:

  • This version adds the user-space helper infrastructure, which includes the RPC portmapper (to support NFSv3) and Oracle*TNS helpers.

What is new in version 1.2.2:

  • Selective flushing for the "-t" and "-F" command options has been implemented.
  • The commit operation is now synchronous.

What is new in version 1.2.0:

  • This version supports NAT expectations, synchronization of the expectation class, helper names, and expect functions.
  • Filtering by mark is now allowed.
  • Example configurations for Q.931 and H.245 have been added.

What is new in version 1.0.1:

  • Support for mark masks was added.

What is new in version 0.9.11:

  • This release includes accumulated fixes, one improvement for the polling approach and a couple of new features.

What is new in version 0.9.10:

  • A new '-C' option for the command line interface to display the number of entries in the conntrack and expectation tables.
  • Internal performance improvements.
  • Support for multi-dedicated links.
  • Extended statistics information.
  • Polling (or batch-based) synchronization.

What is new in version 0.9.9:

  • Filtering support was added for related connections (-L --status EXPECTED).
  • Several manpage updates were made.
  • A new message format is used in the replication protocol (which breaks backward compatibility with previous conntrack-tools releases).
  • Several performance improvements were made.
  • CIDR-based filtering support was added.
  • Fixes and improvements were made in the state injection to kernel (committing).
  • Several cleanups were made.

What is new in version 0.9.8:

  • This release includes many updates, fixes, and improvements in the command line tool and the user-space daemon.
  • Upgrading is recommended.

Requirements:

  • libnfnetlink
  • libnetfilter_conntrack

20 Feb 15 in System Utilities, Monitoring Software

Similar Software

nfsstats.pl
nfsstats.pl

3 Jun 15

Adagios
Adagios

17 Feb 15

System Configuration Collector
System Configuration Collector

15 Apr 15

pulsebuildmonitor
pulsebuildmonitor

20 Feb 15

Other Software of Developer Harald Welte

iptables
iptables

12 Feb 17

ulogd
ulogd

28 Sep 15

Comments to conntrack-tools

Comments not found
Add Comment
Turn on images!
Search by Category
Popular software