How Conntrack Powers Modern Cloud‑Native Networking and Security

Part1 Conntrack Overview

Conntrack is a mechanism that saves connection state. It allows firewalls to permit only packets belonging to established connections, e.g., when a browser accesses a web server on port 80, the firewall lets the response packets with source port 80 from the server’s IP.

In Docker networking, conntrack tracks connections between containers and external networks, ensuring orderly communication. It also provides key information to iptables firewalls to distinguish legitimate from risky traffic.

Conntrack also caches NAT translations: the first packet of a connection queries the NAT table, and conntrack stores the translation method for subsequent packets.

1.1 Where does conntrack happen?

Conntrack intercepts packets at high‑priority hooks LOCAL_OUT (outgoing) and PRE_ROUTING (incoming). After the packet passes the entry hook, it is confirmed at the exit hook.

1.2 What information does conntrack store?

At the entry point, conntrack computes and stores a tuple (source IP, destination IP, source port, destination port, protocol) and additional protocol‑specific data.

Tuple information includes IP and port for TCP/UDP, or IP, type and code for ICMP.

Extension information (complex, omitted).

Protocol‑private data such as TCP sequence numbers, retransmission count, scaling factor, etc.

Packet connection tracking states

Common states stored in skb->nfctinfo are:

IP_CT_ESTABLISHED – packet belongs to an already established connection.

IP_CT_RELATED – packet is related to an existing connection (e.g., FTP data channel).

IP_CT_NEW – first packet of a new connection (SYN for TCP).

IP_CT_ESTABLISHED + IP_CT_IS_REPLY – established packet in reply direction.

IP_CT_RELATED + IP_CT_IS_REPLY – related packet in reply direction.

Part2 Conntrack Principles

2.1 Underlying mechanism

When a packet enters a network node, conntrack extracts the five‑tuple and checks if a record exists. If not, it creates a new entry; otherwise it updates the existing record’s statistics and state (e.g., TCP SYN‑ACK moves state to ESTABLISHED). When a connection ends, the record is removed.

2.2 Relationship with Netfilter

Conntrack hooks into Netfilter’s PRE_ROUTING and POST_ROUTING points to inspect and update connection information. Cilium implements an independent BPF‑based conntrack and NAT system that can replace Netfilter while still supporting Kubernetes Service types.

Part3 Conntrack Applications

3.1 Role in NAT

NAT translates private IP addresses to public ones. Conntrack records each connection’s five‑tuple, allowing NAT devices to perform fast reverse translation for reply packets without additional rules.

3.2 Enabling stateful packet filtering

Stateful filters use conntrack’s connection table to allow only packets that belong to established connections, protecting against session hijacking and DoS attacks.

3.3 Application‑layer gateway extensions

For protocols like FTP that embed address information in the payload, conntrack’s ALG component rewrites those addresses so that NAT works correctly.

Part4 Kernel Implementation of Conntrack

4.1 Module initialization

The functions nf_conntrack_init_init_net() and nf_conntrack_init_net() allocate the hash table size based on system memory, create slab caches for nf_conn structures, and initialize per‑network‑namespace data such as counters and lists.

4.2 Conntrack table data structures

The core structure struct nf_conn represents a tracked flow, containing two tuplehash entries (original and reply), status flags, timers, and protocol‑specific extensions. struct nf_hook_ops – registers conntrack hooks. struct nf_conntrack_tuple – basic tuple element. struct nf_conn – connection entry.

struct nf_conn {
    struct nf_conntrack ct_general;
    spinlock_t lock;
    u16 cpu;
    struct nf_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
    unsigned long status;
    struct timer_list timeout;
    possible_net_t ct_net;
    u8 __nfct_init_offset[0];
    struct nf_conn *master;
#if defined(CONFIG_NF_CONNTRACK_MARK)
    u_int32_t mark;
#endif
#ifdef CONFIG_NF_CONNTRACK_SECMARK
    u_int32_t secmark;
#endif
    struct nf_ct_ext *ext;
    union nf_conntrack_proto proto;
};

4.3 Important functions

hash_conntrack_raw()

– computes a 32‑bit hash from a tuple. nf_conntrack_in() – core entry point for incoming packets. nf_conntrack_confirm() – confirms a newly created connection. nf_ct_get(skb, ctinfo) – retrieves conntrack data from a packet.

Source code can be examined at https://elixir.bootlin.com/linux/v4.4.155/source/net/netfilter.

4.4 Connection lookup and matching

When a packet arrives, its tuple is hashed to locate the appropriate bucket in the conntrack hash table. If multiple entries share the bucket, they are traversed sequentially and compared against the packet’s five‑tuple; a match confirms the packet belongs to an existing flow.

4.5 Connection lifecycle management

New connections are created from SYN packets, confirmed on SYN‑ACK, updated with traffic statistics, and removed on normal termination or timeout, ensuring the table remains efficient.