Conntrack tales - one thousand and one flows
The text discusses the "conntrack" subsystem in Linux's network stack, which is part of the firewall system. It explains how this connection tracking facility works, its limitations, and potential issues that can arise when it gets filled up. The author also provides a detailed test setup using "unshare" to experiment with iptables and conntrack without affecting the host system. They highlight the importance of correctly applying conntrack and avoiding its use on inbound connections to prevent potential problems during SYN flood mitigation.
Company
Cloudflare
Date published
April 6, 2020
Author(s)
Marek Majkowski
Word count
2056
Language
English
Hacker News points
38