From 5952c01eaf2f4256d4804f6bf2ecfed2087cdc29 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sun, 7 Jun 2020 21:43:52 +0200 Subject: doc: manual: refer to nf_conntrack sysctl ip_conntrack sysctl entries are very old and available for backward compatibility reasons. Signed-off-by: Pablo Neira Ayuso --- doc/manual/conntrack-tools.tmpl | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'doc') diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl index 9af0b3f..739b7f1 100644 --- a/doc/manual/conntrack-tools.tmpl +++ b/doc/manual/conntrack-tools.tmpl @@ -59,14 +59,13 @@ What are the conntrack-tools? The conntrack-tools are a set of free software tools for GNU/Linux that allow system administrators interact, from user-space, with the in-kernel Connection Tracking System, which is the module that enables stateful packet inspection for iptables. Probably, you did not hear about this module so far. However, if any of the rules of your rule-set use the state or ctstate iptables matches, you are indeed using it. - The conntrack-tools package contains two programs: - conntrack is command line interface conntrack provides a more flexible interface to the connnection tracking system than /proc/net/ip_conntrack. With conntrack, you can show, delete and update the existing state entries; and you can also listen to flow events. + conntrack provides a full featured command line utility to interact with the connection tracking system. The conntrack utility provides a replacement for the limited /proc/net/nf_conntrack interface. With conntrack, you can list, update and delete the existing flow entries; you can also listen to flow events. conntrackd is the user-space connection tracking daemon. This daemon can be used to deploy fault-tolerant GNU/Linux firewalls but you can also use it to collect flow-based statistics of the firewall use. @@ -167,10 +166,10 @@ Using conntrack: the command line interface - The /proc/net/ip_conntrack interface is very limited as it only allows you to display the existing flows, their state and other information: + The /proc/net/nf_conntrack interface is very limited as it only allows you to display the existing flows, their state and metadata such the flow mark: - # cat /proc/net/ip_conntrack + # cat /proc/net/nf_conntrack tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 use=1 tcp 6 431698 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34849 dport=993 packets=244 bytes=18723 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34849 packets=203 bytes=144731 [ASSURED] mark=0 use=1 @@ -200,7 +199,7 @@ conntrack v1.4.6 (conntrack-tools): 1 flow entries have been updated. Delete one entry, this can be used to block traffic if: You have a stateful rule-set that blocks traffic in INVALID state. - You have set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose or /proc/sys/net/netfilter/nf_conntrack_tcp_loose, depending on your kernel version, to zero. + You set /proc/sys/net/netfilter/nf_conntrack_tcp_loose to zero. @@ -283,7 +282,7 @@ conntrack v1.4.6 (conntrack-tools): 1 flow entries have been deleted. If your Linux kernel is < 2.6.22, you have to disable TCP window tracking: - # echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal + # echo 1 > /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal -- cgit v1.2.3