pkanwar | 8a44513 | 2017-03-10 18:15:58 -0800 | [diff] [blame] | 1 | libnetfilter_conntrack - userspace library for the connection tracking system |
| 2 | (C) 2005-2011 Pablo Neira Ayuso <pablo@netfilter.org> |
| 3 | ============================================================================= |
| 4 | |
| 5 | = Connection Tracking System = |
| 6 | |
| 7 | The connection tracking system is a in-kernel subsystem that stores information |
| 8 | about the state of a connection in a memory structure that contains the source |
| 9 | and destination IP addresses, port number pairs, protocol types, state, and |
| 10 | timeout. With this extra information, we can define more intelligent filtering |
| 11 | policies. |
| 12 | |
| 13 | Moreover, there are some application protocols, such as FTP, TFTP, IRC, PPTP |
| 14 | that have aspects that are hard to track for a firewall that follows the |
| 15 | traditional static filtering approach. The connection tracking system defines |
| 16 | a mechanism to track such aspects. |
| 17 | |
| 18 | The connection tracking system does not alter the packets themselves; the |
| 19 | default behavior always lets the packets continue their travel through the |
| 20 | network stack, although there are a couple of very specific exceptions where |
| 21 | packets can be dropped (e.g., under memory exhaustion). So keep in mind that |
| 22 | the connection tracking system just tracks packets; it does not filter. |
| 23 | |
| 24 | For further information on the connection tracking system, please see the |
| 25 | reference section at the bottom of this document. |
| 26 | |
| 27 | = What is libnetfilter_conntrack? = |
| 28 | |
| 29 | libnetfilter_conntrack is an userspace library that provides an interface to |
| 30 | the in-kernel connection tracking system. |
| 31 | |
| 32 | = License = |
| 33 | |
| 34 | libnetfilter_conntrack is released under GPLv2 or any later at your option. |
| 35 | |
| 36 | = Prerequirements for libnetfilter_conntrack = |
| 37 | |
| 38 | Linux kernel version >= 2.6.18 (http://www.kernel.org) and enable support for: |
| 39 | |
| 40 | * connection tracking system (quite obvious ;) |
| 41 | * nfnetlink |
| 42 | * ctnetlink (ip_conntrack_netlink) |
| 43 | * connection tracking event notification API |
| 44 | |
| 45 | = Documentation = |
| 46 | |
| 47 | You can generate the doxygen-based documentation by invoking: |
| 48 | $ doxygen doxygen.cfg |
| 49 | |
| 50 | = Examples = |
| 51 | |
| 52 | You can find a set of handy examples on the use of libnetfilter_conntrack |
| 53 | under the directory utils/ distributed with this library. You can compile them |
| 54 | by invoking: |
| 55 | $ make check |
| 56 | |
| 57 | = Heads Up = |
| 58 | |
| 59 | libnetfilter_conntrack used to provided two different APIs: The old one had |
| 60 | several limitations, for that reason, it was deprecated time ago. The existing |
| 61 | library only provides the new API that solves former deficiencies. Thus, make |
| 62 | sure you use recent versions of libnetfilter_conntrack and, in case that |
| 63 | you are using the old API, consider porting your application to the new one. |
| 64 | |
| 65 | Since libnetfilter_conntrack >= 0.9.1, you can use the same handler obtained |
| 66 | via nfct_open() to register conntrack and expectation callbacks (before this |
| 67 | version, this was not possible). |
| 68 | |
| 69 | = References = |
| 70 | |
| 71 | [1] Pablo Neira Ayuso. Netfilter's Connection Tracking System: |
| 72 | http://people.netfilter.org/pablo/docs/login.pdf |