path: root/doc
diff options
authorPablo Neira Ayuso <>2020-06-07 21:43:52 +0200
committerPablo Neira Ayuso <>2020-06-07 21:54:02 +0200
commit5952c01eaf2f4256d4804f6bf2ecfed2087cdc29 (patch)
tree13cce7194c33a04056521f027424b6f57199a3d0 /doc
parent9bed87a72ea37ac55b24cfb37c7b5d28d7d06837 (diff)
doc: manual: refer to nf_conntrack sysctl
ip_conntrack sysctl entries are very old and available for backward compatibility reasons. Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'doc')
1 files changed, 5 insertions, 6 deletions
diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl
index 9af0b3f..739b7f1 100644
--- a/doc/manual/conntrack-tools.tmpl
+++ b/doc/manual/conntrack-tools.tmpl
@@ -59,14 +59,13 @@
<chapter id="what"><title>What are the conntrack-tools?</title>
<para>The conntrack-tools are a set of free software tools for GNU/Linux that allow system administrators interact, from user-space, with the in-kernel <ulink url="">Connection Tracking System</ulink>, which is the module that enables stateful packet inspection for iptables. Probably, you did not hear about this module so far. However, if any of the rules of your rule-set use the <emphasis>state</emphasis> or <emphasis>ctstate</emphasis> iptables matches, you are indeed using it.
<para>The <ulink url="">conntrack-tools</ulink> package contains two programs:</para>
- <para><emphasis>conntrack</emphasis> is command line interface conntrack provides a more flexible interface to the connnection tracking system than /proc/net/ip_conntrack. With conntrack, you can show, delete and update the existing state entries; and you can also listen to flow events.</para>
+ <para><emphasis>conntrack</emphasis> provides a full featured command line utility to interact with the connection tracking system. The <emphasis>conntrack</emphasis> utility provides a replacement for the limited /proc/net/nf_conntrack interface. With <emphasis>conntrack</emphasis>, you can list, update and delete the existing flow entries; you can also listen to flow events.</para>
<para><emphasis>conntrackd</emphasis> is the user-space connection tracking daemon. This daemon can be used to deploy fault-tolerant GNU/Linux firewalls but you can also use it to collect flow-based statistics of the firewall use.</para>
@@ -167,10 +166,10 @@
<chapter id="conntrack"><title>Using conntrack: the command line interface</title>
- <para>The <emphasis>/proc/net/ip_conntrack</emphasis> interface is very limited as it only allows you to display the existing flows, their state and other information:</para>
+ <para>The <emphasis>/proc/net/nf_conntrack</emphasis> interface is very limited as it only allows you to display the existing flows, their state and metadata such the flow mark:</para>
- # cat /proc/net/ip_conntrack
+ # cat /proc/net/nf_conntrack
tcp 6 431982 ESTABLISHED src= dst= sport=34846 dport=993 packets=169 bytes=14322 src= dst= sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 use=1
tcp 6 431698 ESTABLISHED src= dst= sport=34849 dport=993 packets=244 bytes=18723 src= dst= sport=993 dport=34849 packets=203 bytes=144731 [ASSURED] mark=0 use=1
@@ -200,7 +199,7 @@ conntrack v1.4.6 (conntrack-tools): 1 flow entries have been updated.
<para>Delete one entry, this can be used to block traffic if:</para>
<listitem><para>You have a stateful rule-set that blocks traffic in INVALID state.</para></listitem>
- <listitem><para>You have set <emphasis>/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose</emphasis> or <emphasis>/proc/sys/net/netfilter/nf_conntrack_tcp_loose</emphasis>, depending on your kernel version, to zero.</para></listitem>
+ <listitem><para>You set <emphasis>/proc/sys/net/netfilter/nf_conntrack_tcp_loose</emphasis> to zero.</para></listitem>
@@ -283,7 +282,7 @@ conntrack v1.4.6 (conntrack-tools): 1 flow entries have been deleted.
<para>If your Linux kernel is &lt; 2.6.22, you have to disable TCP window
- # echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
+ # echo 1 > /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal