summaryrefslogtreecommitdiffstats
path: root/README
blob: b0065c912aa32af886631c04478f95663a5e0b6b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
libnetfilter_conntrack - userspace library for the connection tracking system
(C) 2005-2007 Pablo Neira Ayuso <pablo@netfilter.org>
=============================================================================

= Connection Tracking System =

The connection tracking system is a in-kernel subsystem that stores information
about the state of a connection in a memory structure that contains the source
and destination IP addresses, port number pairs, protocol types, state, and 
timeout. With this extra information, we can define more intelligent filtering
policies. 

Moreover, there are some application protocols, such as FTP, TFTP, IRC, PPTP 
that have aspects that are hard to track for a firewall that follows the 
traditional static filtering approach. The connection tracking system defines 
a mechanism to track such aspects.

The connection tracking system does not alter the packets themselves; the 
default behavior always lets the packets continue their travel through the
network stack, although there are a couple of very specific exceptions where 
packets can be dropped (e.g., under memory exhaustion). So keep in mind that 
the connection tracking system just tracks packets; it does not filter.

For further information on the connection tracking system, please see the
reference section at the bottom of this document.

= What is libnetfilter_conntrack? =

libnetfilter_conntrack is an userspace library that provides an interface to 
the in-kernel connection tracking system.

= Prerequirements for libnetfilter_conntrack =

Linux kernel version >= 2.6.18 (http://www.kernel.org) and enable support for:

 * connection tracking system (quite obvious ;)
 * nfnetlink
 * ctnetlink (ip_conntrack_netlink)
 * connection tracking event notification API 

= Documentation =

The libnetfilter_conntrack API is well documented, however we don't have any
tool yet to automate the document generation. So, you'll have to consult the 
documentation from the source code.

= Examples =

You can find a set of handy examples on the use of libnetfilter_conntrack 
under the directory utils/ distributed with this library.

= Heads Up =

Currently libnetfilter_conntrack supports two different APIs: The old one that 
has several limitations and the new one that solves such deficiencies. Thus, 
make sure you use the new API for your new applications since the old one will
be removed soon.

= References =

[1] Pablo Neira Ayuso. Netfilter's Connection Tracking System:
    http://people.netfilter.org/pablo/docs/login.pdf