diff options
author/C=EU/ST=EU/CN=Pablo Neira Ayuso/ </C=EU/ST=EU/CN=Pablo Neira Ayuso/>2007-05-22 00:55:00 +0000
committer/C=EU/ST=EU/CN=Pablo Neira Ayuso/ </C=EU/ST=EU/CN=Pablo Neira Ayuso/>2007-05-22 00:55:00 +0000
commit11c5237ffd9e3bda5cac4c9156556e9050e6a9c8 (patch)
parente99052a1f6c81c68adf4c815ef3bfeddd45f70ec (diff)
1 files changed, 62 insertions, 0 deletions
diff --git a/README b/README
new file mode 100644
index 0000000..b0065c9
--- /dev/null
+++ b/README
@@ -0,0 +1,62 @@
+libnetfilter_conntrack - userspace library for the connection tracking system
+(C) 2005-2007 Pablo Neira Ayuso <>
+= Connection Tracking System =
+The connection tracking system is a in-kernel subsystem that stores information
+about the state of a connection in a memory structure that contains the source
+and destination IP addresses, port number pairs, protocol types, state, and
+timeout. With this extra information, we can define more intelligent filtering
+Moreover, there are some application protocols, such as FTP, TFTP, IRC, PPTP
+that have aspects that are hard to track for a firewall that follows the
+traditional static filtering approach. The connection tracking system defines
+a mechanism to track such aspects.
+The connection tracking system does not alter the packets themselves; the
+default behavior always lets the packets continue their travel through the
+network stack, although there are a couple of very specific exceptions where
+packets can be dropped (e.g., under memory exhaustion). So keep in mind that
+the connection tracking system just tracks packets; it does not filter.
+For further information on the connection tracking system, please see the
+reference section at the bottom of this document.
+= What is libnetfilter_conntrack? =
+libnetfilter_conntrack is an userspace library that provides an interface to
+the in-kernel connection tracking system.
+= Prerequirements for libnetfilter_conntrack =
+Linux kernel version >= 2.6.18 ( and enable support for:
+ * connection tracking system (quite obvious ;)
+ * nfnetlink
+ * ctnetlink (ip_conntrack_netlink)
+ * connection tracking event notification API
+= Documentation =
+The libnetfilter_conntrack API is well documented, however we don't have any
+tool yet to automate the document generation. So, you'll have to consult the
+documentation from the source code.
+= Examples =
+You can find a set of handy examples on the use of libnetfilter_conntrack
+under the directory utils/ distributed with this library.
+= Heads Up =
+Currently libnetfilter_conntrack supports two different APIs: The old one that
+has several limitations and the new one that solves such deficiencies. Thus,
+make sure you use the new API for your new applications since the old one will
+be removed soon.
+= References =
+[1] Pablo Neira Ayuso. Netfilter's Connection Tracking System: