Skip to main content
Unix & Linux

Questions tagged [ip-conntrack]

Ask Question

The tag has no summary.

30 questions
Newest Active Bountied Unanswered
2 votes
1 answer
92 views

I have interfaces enp101s0f0u2u{1..3}, on each of which there is device responding to 192.168.8.1. I want a local processes to be able to reach all of them simultaneously. This is one process, so ...
Mihail Malostanidis's user avatar
  • 121
0 votes
1 answer
142 views

I am confused by the nftable's handling of broadcast packets and their responses. This is about the NetBIOS name resolution. nmblookup sends a packet to 192.168.115.255:137. The expression meta ...
Hauke Laging's user avatar
  • 94.8k
2 votes
0 answers
133 views

This is more of a conceptual question. I've noticed that we sometimes drop UDP packets due to ctstate INVALID, but from my understanding that should never happen. Researching this I can't really find ...
Philippe's user avatar
  • 599
0 votes
1 answer
235 views

With a standard log rule "ct state new" we get the details about a new session, however, we only get the data size of the first packet looking in LEN i.e. 2024-06-15T10:11:31.829667+00:00 ...
Neil Briscoe's user avatar
  • 3
1 vote
1 answer
432 views

It's not clear to me if the check for INVALID vs ESTABLISHED,RELATED is equally fast for both cases (and if the states are completely orthogonal) Do I have to drop INVALID before accepting ESTABLISHED ...
Adrian Sevcenco's user avatar
  • 153
0 votes
0 answers
28 views

I'm trying to test some conntrack related tooling. The test runs within a single VM without network access. What's the easiest way to create a conntrack session so I can do my test?
Philippe's user avatar
  • 599
1 vote
0 answers
1k views

I have come across this repo and struggle to understand these steps. I believe this is to enable the Netfilter conntrack events, but I'm not sure. What do I have to run to get these prompts? ----------...
Houman's user avatar
  • 197
2 votes
0 answers
628 views

Two containers talking to each other on overlay network with high traffic (connection frequency) occasionally got connection lag almost exact multiple of 1s. It doesn't matter whether it is same host ...
DevilaN's user avatar
  • 2,146
3 votes
1 answer
5k views

Hi dear esteemed community, I'm having a hard time porting my very functional iptables firewall to nftables. No issues with input/output/forward stuffs, it's mainly the conntrack marking. What I ...
Kameo's user avatar
  • 33
2 votes
0 answers
777 views

Is there any possibility to mark outgoing packets with iptables and recognize them by the response? I have a very simple outgoing rule: iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,...
BufferOverflow's user avatar
  • 353
0 votes
1 answer
2k views

Does exist a command to "gracefully" close a TCP connection opened by a process before it reaches its timeout? I would like to gracefully close all those TCP connections in a CLOSE_WAIT/TIME_WAIT ...
Fabrizio Barcaroli's user avatar
  • 53
5 votes
1 answer
26k views

From this link it seems that conntrack remembers a connection for X seconds after it is closed. Does anybody know how long that X is and if it is configurable?
Fabrizio Barcaroli's user avatar
  • 53
1 vote
1 answer
2k views

I don't understand some basic concepts of conntrack module. First of all, I'm sure it's enabled in my system (Ubuntu 18.04), modinfo shows info about nf_conntrack and /proc/modules file tells ...
Groosha's user avatar
  • 315
2 votes
1 answer
5k views

I understand that iptables --set-mark does not add mark "on" the packets. The MARK target is for associating a mark with the packet in the kernel data structures. The packet itself is not modified. ...
Sourav Ghosh's user avatar
  • 123
7 votes
0 answers
1k views

I was playing arround with the Multicast feature of IPv6. $ ping ff02::2%wlp3s0 This should normally result in an echo-reply from all the routers on your local network segment (Wikipedia - IPv6). So ...
Hermilton's user avatar
  • 171

15 30 50 per page
1
2