Conntrack-tools nfct command

Is there an OpenWRT package containing the "nfct" command to configure the connection tracking system (conntrack) ?
The "nfct" executable is part of Netfilter conntrack-tools projects .



I installed every package that uses the same library that nfct uses. No joy.


Is there a solution to configure specific timeout values for some application protocols without using "nfct" command ?

For example I want to set a default UDP timeout with sysctl net.netfilter.nf_conntrack_udp_timeout = 120 and have shorter timeouts for some well known UDP protocols (like 30 seconds for DNS on port 53).

Accordoing to OpenWRT distribution "packages/blob/master/net/conntrack-tools/Makefile", Conntrack-tools package only contains :

  • conntrack : executable to list existing connections handlled by Netfilter connection tracking system
  • conntrackd : User-space daemon to interract with contrack, used by some distributed firewall systems

But NO nfct command

nfct executable gets build but isn't included in the final package.
I modified the makefile to also include nfct but it doesn't work.

nfct add timeout custom-tcp-policy1 inet tcp established 100
nfct v1.4.5: netlink error: Invalid argument
nfct add timeout dns inet
nfct v1.4.5: missing parameters
syntax: nfct add timeout name family protocol state1 timeout1 .

nfct add timeout dns inet tcp
nfct v1.4.5: netlink error: Invalid argument

It errors out as soon as when a level4 protocol is specified.

It depends on kernel feature NF_CT_NETLINK_TIMEOUT

Good hint.
I tought having libnetfilter-cttimeout package enabled would enable
but it does not.

Patches welcome :slight_smile:

I'm not that familiar with the OpenWRT's package structure :laughing:
But I guess, best would be to create a new netlink package in
something like this?

define KernelPackage/nfnetlink-timeout
  TITLE:=Netfilter TIMEOUT over NFNETLINK interface
  FILES:=$(foreach mod,$(NFNETLINK_QUEUE-m),$(LINUX_DIR)/net/$(mod).ko)
  AUTOLOAD:=$(call AutoProbe,$(notdir $(NFNETLINK_TIMEOUT-m)))
  $(call AddDepends/nfnetlink)

define KernelPackage/nfnetlink-timeout/description
 Kernel modules support for timeout policies via NFNETLINK

$(eval $(call KernelPackage,nfnetlink-timeout))

I have no clue what the correct syntax for KCONFIG is.

I guess, NF_CONNTRACK_TIMEOUT needs also to be enabled.
For QUEUE (that also uses netlink) there is iptables target:

define KernelPackage/ipt-nfqueue
  TITLE:=Module for user-space packet queuing
  FILES:=$(foreach mod,$(IPT_NFQUEUE-m),$(LINUX_DIR)/net/$(mod).ko)
  AUTOLOAD:=$(call AutoProbe,$(notdir $(IPT_NFQUEUE-m)))
  $(call AddDepends/ipt,+kmod-nfnetlink-queue)

define KernelPackage/ipt-nfqueue/description
 Netfilter module for user-space packet queuing

$(eval $(call KernelPackage,ipt-nfqueue))

Would it be the right thing to adapt 'timeout' to this structure?

I would suggest putting it into its own group. It's for nf_conntrack tuning, not quite related to what ipt-nfqueue is for.

As for packaging, you may find include/ useful, for kconfig names and kernel module paths, etc.

NF_CONNTRACK_TIMEOUT enables new iptabkes CT timeout target (-j CT --timeout)
So it is somewhat iptables related...

This option enables support for connection tracking timeout extension. This allows you to attach timeout policies to flow via the CT target.

If unsure, say `N'.

man iptables-extensions

--timeout name
Use the timeout policy identified by name for the connection. This is provides more flexible timeout policy definition than global timeout values available at /proc/sys/net/netfilter/nf_conntrack_timeout.

So I guess those are both related?

Sorry, I was a bit confused. There are two kconfig option involved here.

  • NF_CONNTRACK_TIMEOUT is for --timeout argument of iptables CT target. It's a bool option
  • NF_CT_NETLINK_TIMEOUT is a tristate option for tuning conntrack timeout via netlink

Okay, I got it working.
But I think, it is not the best solution but anyway, here it is:

diff --git a/package/kernel/linux/modules/ b/package/kernel/linux/modules/
index 7eda8e6270..86383c6e3a 100644
--- a/package/kernel/linux/modules/
+++ b/package/kernel/linux/modules/
@@ -120,6 +120,18 @@ endef
 $(eval $(call KernelPackage,nf-conntrack6))
+define KernelPackage/nf-conntrack-timeout
+  TITLE:=Connection tracking timeout policy support
+  KCONFIG:= \
+    DEPENDS:=+kmod-nf-conntrack +kmod-nfnetlink +kmod-ipt-raw +IPV6:kmod-ipt-raw6 +libnetfilter-cttimeout
+  FILES:=$(LINUX_DIR)/net/netfilter/nfnetlink_cttimeout.ko
+  AUTOLOAD:=$(call AutoProbe,nfnetlink_cttimeout)
+$(eval $(call KernelPackage,nf-conntrack-timeout))
 define KernelPackage/nf-nat

I have no clue how to do a diff for a file in the packages feed.
Line 52-56:
Change to:

define Package/conntrack/install
	$(INSTALL_DIR) $(1)/usr/sbin
	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/conntrack $(1)/usr/sbin/
	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/nfct $(1)/usr/sbin/


nfct add timeout dns inet udp replied 10
nfct list timeout
.dns = {
        .l3proto = 2,
        .l4proto = 17,
        .policy = {
                .UNREPLIED = 10,
                .REPLIED = 10,
iptables -I OUTPUT -t raw -p udp --dport 53 -j CT --timeout dns
iptables-save | grep 'timeout dns'
-A OUTPUT -p udp -m udp --dport 53 -j CT --timeout dns

Complete example to limit dns connections to a 10sec timeout:

IPT=$(which iptables)
IPT6=$(which ip6tables)

# Set custom timeout for dns connections
nfct add timeout dns4 inet udp replied 10 unreplied 10 > /dev/null 2>&1 || true
nfct add timeout dns6 inet6 udp replied 10 unreplied 10 > /dev/null 2>&1 || true

$IPT -I PREROUTING -t raw -p udp -m multiport --ports 53 -j CT --timeout dns4
$IPT -I OUTPUT -t raw -p udp -m multiport --ports 53 -j CT --timeout dns4
$IPT6 -I PREROUTING -t raw -p udp -m multiport --ports 53 -j CT --timeout dns6
$IPT6 -I OUTPUT -t raw -p udp -m multiport --ports 53 -j CT --timeout dns6

Note: seems like the "name" (dns4,dns6 in this example) is limited to 4 chars.
Only PREROUTING and OUTPUT can be used.

Thank you for pointing me in the right direction.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.