Ping a Specific Port

Question

narotello

Asked: 2021-10-11 01:27:14 +0800 CST2021-10-11 01:27:14 +0800 CST 2021-10-11 01:27:14 +0800 CST

Statistics /proc/net/stat/nf_conntrack is missing on Linux server

772

For some reason I have no such file on my server..

root@serv:~# uname -a
Linux serv 5.4.0-87-generic #98~18.04.1-Ubuntu SMP Wed Sep 22 10:45:04 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
root@serv:~# cat /proc/net/stat/nf_conntrack
cat: /proc/net/stat/nf_conntrack: No such file or directory

But my conntrack is definitely enabled:

root@serv:~# lsmod | grep conntr
xt_conntrack           16384  1
nf_conntrack_netlink    45056  0
nf_conntrack          139264  2 xt_conntrack,nf_conntrack_netlink
nf_defrag_ipv6         24576  1 nf_conntrack
nf_defrag_ipv4         16384  1 nf_conntrack
libcrc32c              16384  1 nf_conntrack
nfnetlink              16384  1 nf_conntrack_netlink
x_tables               45056  3 xt_conntrack,iptable_filter,ip_tables

And conntrack -L works perfectly.
But lnstat -f ip_conntrack also shows the empty output.
What is the reason? Should I insert some kernel module for this file to appear in procfs?

1 Answers

Voted

A.B · Answer 1 · 2021-10-11T05:24:43+08:00

The relevant required configuration needed to have conntrack available in /proc is CONFIG_NF_CONNTRACK_PROCFS:

CONFIG_NF_CONNTRACK_PROCFS: Supply CT list in procfs (OBSOLETE)

[...]

Help text

This option enables for the list of known conntrack entries to be shown in procfs under net/netfilter/nf_conntrack. This is considered obsolete in favor of using the conntrack(8) tool which uses Netlink.

OP's kernel appears to have been built with features described in this package: linux-buildinfo-5.4.0-87-generic.

Alas content of /usr/lib/linux/5.4.0-87-generic/config from package above tells:

# CONFIG_NF_CONNTRACK_PROCFS is not set

So the two /proc/ entries usually provided by conntrack: /proc/net/nf_conntrack and /proc/net/stat/nf_conntrack will not exist.

As the documentation tells, this has been obsoleted by the conntrack tool which uses the netlink(7) kernel API instead.

Most of the content of /proc/net/stat/nf_conntrack can be replaced by:

conntrack --count

which gives the number of entries (this is the first column of data present in /proc/net/stat/nf_conntrack) and:

conntrack --stats
conntrack --stats expect

which gives the content of most of the other columns available in /proc/net/stat/nf_conntrack, sometimes for the (main) conntrack table, sometimes for the expect table, one per CPU as well. A few statistics don't appear to be available this way (or might be hidden elsewhere, or might have been obsoleted ...).

If you really need /proc/net/stat/nf_conntrack you'll have to switch to an other kernel with this feature available or rebuild the kernel with different options. This kernel option doesn't appear to be chosen by Ubuntu anymore, including in newer kernel versions.

For reference, here's an example from a different kernel having this option and running with 4 CPUs:

# cat /proc/net/stat/nf_conntrack | column -t
entries   clashres  found     new       invalid   ignore    delete    delete_list  insert    insert_failed  drop      early_drop  icmp_error  expect_new  expect_create  expect_delete  search_restart
0000000a  00000092  00000000  00000000  00000276  00000000  00000000  00000000     00000000  00000000       00000000  00000000    00000000    00000016    0000000a       00000016       00002463
0000000a  00000000  00000000  00000000  00000009  00000000  00000000  00000000     00000000  00000001       00000001  00000000    00000000    00000000    00000004       00000000       000000eb
0000000a  00000000  00000000  00000000  00000008  00000000  00000000  00000000     00000000  00000007       00000007  00000000    00000000    00000000    00000004       00000000       00000100
0000000a  00000000  00000000  00000000  00000048  00000000  00000000  00000000     00000000  00000000       00000000  00000000    00000000    00000000    00000004       00000000       00000325
# conntrack -C
10
# conntrack -S
cpu=0       found=0 invalid=630 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=9315 
cpu=1       found=0 invalid=9 insert=0 insert_failed=1 drop=1 early_drop=0 error=0 search_restart=235 
cpu=2       found=0 invalid=8 insert=0 insert_failed=7 drop=7 early_drop=0 error=0 search_restart=256 
cpu=3       found=0 invalid=72 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=805 
# conntrack -S expect
cpu=0       expect_new=22 expect_create=10 expect_delete=22 
cpu=1       expect_new=0 expect_create=4 expect_delete=0 
cpu=2       expect_new=0 expect_create=4 expect_delete=0 
cpu=3       expect_new=0 expect_create=4 expect_delete=0 
#

Statistics /proc/net/stat/nf_conntrack is missing on Linux server

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?