Conntrack

This chapter covers some aspects related to system conntrack, which is a feature that allows the user to track connections through OSDx devices.

The conntrack utility provides a featured userspace interface to the Netfilter connection tracking system. It can be used to dump a list of all (or a filtered selection of) currently tracked connections.

Connection Format

All connections can be structured in a similar fashion to the one shown below:

icmp     1 25 src=10.0.0.1 dst=10.0.0.2 type=8 code=0 id=18723 vrf=RED packets=2 bytes=168 src=10.0.0.2 dst=10.0.0.1 type=0 code=0 id=18723 vrf=RED packets=2 bytes=168 mark=33 use=1 appdetect[L3:1]

In the example above, you can see a ping connection using a vrf called RED. It contains both an origin and a reply message (each with its own fields, such as the source (src) and destination (dst) ip address and message code and type), as well as global parameters like the protocol used (icmp), the number of packets and bytes transmitted, and the id.

In addition to the fields mentioned, there are others related to the traffic policies established in the connections. For example, information on whether the connection is bypassed or not (Sc: not-bypass) can be found, as well as on the mark packet, the offloaded flag ([OFFLOAD] or [HW_OFFLOAD]), and app-detect data (appdetect[engineId:appID]). More information about these fields and their configuration is found in Traffic Routing Articles and Firewall Service.

Running the system conntrack monitor command will monitor all current connections (containing the previously described fields) via three different states:

• NEW: New conntrack messages.

• UPDATE: Updated conntrack messages.

• DESTROY: Conntrack messages indicating disconnection.

Logging

system conntrack logging is an option that allows conntrack information to be sent via syslog. The message types to be captured, NEW, UPDATE, DESTROY or ALL of them (events option with destroy as default value) must be configured, as well as the log level of those events (log-level option). This last option indicates the log level at which messages will be displayed, and not their own level. For example, setting this option to err will display the conntrack messages with error format, but configuring it with debug will show the information with debug style (info level by default). The expected output when running system journal monitor or system journal show will be as follows:

osdx ulogd[9431]: [NEW] ORIG: SRC=10.0.0.1 DST=10.0.0.2 VRF=RED PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=10.0.0.2 DST=10.0.0.1 VRF=RED PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 MARK=33 LABELS=LOCAL

In addition to the default conntrack message, the label field associated to a traffic policy is also included. However, the app detect information has not yet been implemented.

Some examples of this feature and how to configure it can be found here.

Configuration commands

Configuration commands

• system conntrack

• system conntrack app-detect

• system conntrack debug

• system conntrack disable

• system conntrack logging

• system conntrack modules

• system conntrack replace-clash

• system conntrack tcp

• system conntrack timeout

Operational Commands

Operational commands

• system conntrack app-detect show

• system conntrack clear

• system conntrack clear destination-nat

• system conntrack clear source-nat

• system conntrack clear nat

• system conntrack monitor

• system conntrack monitor destination-nat

• system conntrack monitor source-nat

• system conntrack monitor nat

• system conntrack show

• system conntrack show destination-nat

• system conntrack show source-nat

• system conntrack show nat