From 553cd1fa98a2e3eb88c0f08e961de8ca4cda5de1 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 22 Feb 2011 16:05:09 +0100 Subject: doc: add reference to the CT target again Now that we have fixed several aspects of the event filtering in 2.6.38, I reintroduce the documentation for this feature. Signed-off-by: Pablo Neira Ayuso --- doc/manual/conntrack-tools.tmpl | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'doc/manual') diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl index 08b5b95..64cb91f 100644 --- a/doc/manual/conntrack-tools.tmpl +++ b/doc/manual/conntrack-tools.tmpl @@ -631,6 +631,33 @@ Sync { + +Filtering Connection tracking events with iptables + + Since Linux kernel >= 2.6.34, iptables provides the + CT iptables target that allows to reduce the + amount of Connection Tracking events that are delivered to user-space. + However, you will have to use a Linux kernel >= 2.6.38 to profit + from this feature, since several aspects of the event filtering were + broken. + + The following example shows how to only generate the + assured event: + + + # iptables -I PREROUTING -t raw -j CT --ctevents assured + + + Assured flows + One flow is assured if the firewall has seen traffic for it in + both directions. + + + Reducing the amount of events generated helps to reduce CPU + consumption in the active firewall. + + + Troubleshooting -- cgit v1.2.3