diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-06-07 21:43:52 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-06-07 21:54:02 +0200 |
commit | 5952c01eaf2f4256d4804f6bf2ecfed2087cdc29 (patch) | |
tree | 13cce7194c33a04056521f027424b6f57199a3d0 /doc | |
parent | 9bed87a72ea37ac55b24cfb37c7b5d28d7d06837 (diff) |
doc: manual: refer to nf_conntrack sysctl
ip_conntrack sysctl entries are very old and available for backward
compatibility reasons.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/manual/conntrack-tools.tmpl | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl index 9af0b3f..739b7f1 100644 --- a/doc/manual/conntrack-tools.tmpl +++ b/doc/manual/conntrack-tools.tmpl @@ -59,14 +59,13 @@ <chapter id="what"><title>What are the conntrack-tools?</title> <para>The conntrack-tools are a set of free software tools for GNU/Linux that allow system administrators interact, from user-space, with the in-kernel <ulink url="http://people.netfilter.org/pablo/docs/login.pdf">Connection Tracking System</ulink>, which is the module that enables stateful packet inspection for iptables. Probably, you did not hear about this module so far. However, if any of the rules of your rule-set use the <emphasis>state</emphasis> or <emphasis>ctstate</emphasis> iptables matches, you are indeed using it. - </para> <para>The <ulink url="http://conntrack-tools.netfilter.org">conntrack-tools</ulink> package contains two programs:</para> <itemizedlist> <listitem> - <para><emphasis>conntrack</emphasis> is command line interface conntrack provides a more flexible interface to the connnection tracking system than /proc/net/ip_conntrack. With conntrack, you can show, delete and update the existing state entries; and you can also listen to flow events.</para> + <para><emphasis>conntrack</emphasis> provides a full featured command line utility to interact with the connection tracking system. The <emphasis>conntrack</emphasis> utility provides a replacement for the limited /proc/net/nf_conntrack interface. With <emphasis>conntrack</emphasis>, you can list, update and delete the existing flow entries; you can also listen to flow events.</para> </listitem> <listitem> <para><emphasis>conntrackd</emphasis> is the user-space connection tracking daemon. This daemon can be used to deploy fault-tolerant GNU/Linux firewalls but you can also use it to collect flow-based statistics of the firewall use.</para> @@ -167,10 +166,10 @@ <chapter id="conntrack"><title>Using conntrack: the command line interface</title> - <para>The <emphasis>/proc/net/ip_conntrack</emphasis> interface is very limited as it only allows you to display the existing flows, their state and other information:</para> + <para>The <emphasis>/proc/net/nf_conntrack</emphasis> interface is very limited as it only allows you to display the existing flows, their state and metadata such the flow mark:</para> <programlisting> - # cat /proc/net/ip_conntrack + # cat /proc/net/nf_conntrack tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 use=1 tcp 6 431698 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34849 dport=993 packets=244 bytes=18723 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34849 packets=203 bytes=144731 [ASSURED] mark=0 use=1 </programlisting> @@ -200,7 +199,7 @@ conntrack v1.4.6 (conntrack-tools): 1 flow entries have been updated. <para>Delete one entry, this can be used to block traffic if:</para> <itemizedlist> <listitem><para>You have a stateful rule-set that blocks traffic in INVALID state.</para></listitem> - <listitem><para>You have set <emphasis>/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose</emphasis> or <emphasis>/proc/sys/net/netfilter/nf_conntrack_tcp_loose</emphasis>, depending on your kernel version, to zero.</para></listitem> + <listitem><para>You set <emphasis>/proc/sys/net/netfilter/nf_conntrack_tcp_loose</emphasis> to zero.</para></listitem> </itemizedlist> <programlisting> @@ -283,7 +282,7 @@ conntrack v1.4.6 (conntrack-tools): 1 flow entries have been deleted. <para>If your Linux kernel is < 2.6.22, you have to disable TCP window tracking: <programlisting> - # echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal + # echo 1 > /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal </programlisting> </para> </listitem> |