1. What's this?
    2. Conntrack.py
      1. Examples
    3. pynetfilter_conntrack
    4. Download
      1. Dependencies
      2. Tarball
      3. Subversion
    5. TODO
    6. Links

pynetfilter_conntrack is a Python binding of libnetfilter_conntrack. The binding is the file pynetfilter_conntrack.py and you have also a clone of conntrack program: conntrack.py.

See also NuConntrack project.

What's this?

This python library is based on libnetfilter_conntrack, which lets you manipulate conntrack objects. In other words, pynetfilter_conntrack lets you deal with Netfilter's stateful inspection objects from the Python world.

Practically, for the administrator, this means you can now easily close connections of your choice on your Linux [2.6] firewall. You can also receive informations about all connections (how many packets have gone through, how many bytes, etc.). You will even be able to create new objects in the Connection Tracking (this means that complex protocols such as FTP, P2P, etc. can have Python dealing with them rather than complex kernel modules).

Conntrack.py

Conntrack.py is a clone of conntrack C program. Features:

  • list: List connections ;
  • xml: Export connections to XML document ;
  • delete: Delete connection.

For all commands, you can filter connections with:

  • source/destination address from original/reply destination ;
  • layer 3 and 4 protocols ;
  • source/destination port from original/reply destination (for protocols tcp, udp and sctp).

Examples

Listing connections: 

$ conntrack.py list
ipv4 192.168.2.4->216.165.191.52 tcp 55250->6667
ipv4 192.168.1.2->192.168.1.1 tcp 48429->24800
ipv4 192.168.2.4->80.248.214.47 tcp 35587->5223
Total: 3 connection(s)

Deleting a connection by destination port: 

$ conntrack.py delete --dport=6667
Delete: ipv4 192.168.2.4->216.165.191.52 tcp 55250->6667 (id 13202)

Exporting connection list to XML: 

$ conntrack.py xml -d 80.248.214.47
<?xml version="1.0" encoding="ASCII"?>
<conntracks>
   <conntrack id="13196" mark="0" use="1" timeout="431972">
      <status>
         <flag>seen reply</flag>
         <flag>assured</flag>
         <flag>confirmed</flag>
         <flag>src_nat_done</flag>
         <flag>dst_nat_done</flag>
      </status>
      <tuple l3protonum="2" src="192.168.2.4" dst="80.248.214.47" proto="6" sport="35587" dport="5223" />
      <counter packets="173" bytes="28630" />
   </conntrack>
</conntracks>

pynetfilter_conntrack

The API of pynetfilter_conntrack is high-level and simple to use. As a proof, the following code is the main code of conntrack.py: 

 nf = NetfilterConntrack(CONNTRACK)
 table = nf.create_table(values.family)
 table = table.filter(values.protonum,src=values.src, dst=values.dst,
        sport=values.sport, dport=values.dport)
 table.display()

The filtering capabilities has the same syntax as iptables to ease script development.

Download

Dependencies

Read INSTALL file.

Typical error if you do not have the right version of libnetfilter_conntrack: 

AttributeError: /usr/lib/libnetfilter_conntrack.so.1: undefined symbol: nfct_new

Tarball

See also pynetfilter_conntrack on Python Cheeseshop.

Subversion

You can download latest version from the downloads area ('Tools' section).

Download version (unstable) version with Subversion: 

svn co http://software.inl.fr/svn/mirror/edenwall/pynetfilter_conntrack/trunk pynetfilter_conntrack

You can also read source code online: Browse pynetfilter_conntrack source code.

TODO

Current binding is not complete, missing features:

  • expected connections DONE ;
  • flush conntrack table (?);
  • create new conntrack entry DONE ;
  • event tracking DONE.

Other good idea would be to filter connection table using conntrack functions (to support hugh connection table like 120k connections).

Idea: load kernel module (ip_conntrack_netlink) using modprobe if getuid() is 0 (root).

UPDATE: All listed features are implemented in trunk version (future 0.5 version).