Join Log in
Score:4
narotello avatar Server

Statistics /proc/net/stat/nf_conntrack is missing on Linux server

aq flag
narotello

For some reason I have no such file on my server..

root@serv:~# uname -a
Linux serv 5.4.0-87-generic #98~18.04.1-Ubuntu SMP Wed Sep 22 10:45:04 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
root@serv:~# cat /proc/net/stat/nf_conntrack
cat: /proc/net/stat/nf_conntrack: No such file or directory

But my conntrack is definitely enabled:

root@serv:~# lsmod | grep conntr
xt_conntrack           16384  1
nf_conntrack_netlink    45056  0
nf_conntrack          139264  2 xt_conntrack,nf_conntrack_netlink
nf_defrag_ipv6         24576  1 nf_conntrack
nf_defrag_ipv4         16384  1 nf_conntrack
libcrc32c              16384  1 nf_conntrack
nfnetlink              16384  1 nf_conntrack_netlink
x_tables               45056  3 xt_conntrack,iptable_filter,ip_tables

And conntrack -L works perfectly.
But lnstat -f ip_conntrack also shows the empty output.
What is the reason? Should I insert some kernel module for this file to appear in procfs?

985
0 + 0
Score:2
A.B avatar Server
cl flag
A.B

The relevant required configuration needed to have conntrack available in /proc is CONFIG_NF_CONNTRACK_PROCFS:

CONFIG_NF_CONNTRACK_PROCFS: Supply CT list in procfs (OBSOLETE)

[...]

Help text

This option enables for the list of known conntrack entries to be shown in procfs under net/netfilter/nf_conntrack. This is considered obsolete in favor of using the conntrack(8) tool which uses Netlink.

OP's kernel appears to have been built with features described in this package: linux-buildinfo-5.4.0-87-generic.

Alas content of /usr/lib/linux/5.4.0-87-generic/config from package above tells:

# CONFIG_NF_CONNTRACK_PROCFS is not set

So the two /proc/ entries usually provided by conntrack: /proc/net/nf_conntrack and /proc/net/stat/nf_conntrack will not exist.

As the documentation tells, this has been obsoleted by the conntrack tool which uses the netlink(7) kernel API instead.

Most of the content of /proc/net/stat/nf_conntrack can be replaced by:

conntrack --count

which gives the number of entries (this is the first column of data present in /proc/net/stat/nf_conntrack) and:

conntrack --stats
conntrack --stats expect

which gives the content of most of the other columns available in /proc/net/stat/nf_conntrack, sometimes for the (main) conntrack table, sometimes for the expect table, one per CPU as well. A few statistics don't appear to be available this way (or might be hidden elsewhere, or might have been obsoleted ...).

If you really need /proc/net/stat/nf_conntrack you'll have to switch to an other kernel with this feature available or rebuild the kernel with different options. This kernel option doesn't appear to be chosen by Ubuntu anymore, including in newer kernel versions.

For reference, here's an example from a different kernel having this option and running with 4 CPUs:

# cat /proc/net/stat/nf_conntrack | column -t
entries   clashres  found     new       invalid   ignore    delete    delete_list  insert    insert_failed  drop      early_drop  icmp_error  expect_new  expect_create  expect_delete  search_restart
0000000a  00000092  00000000  00000000  00000276  00000000  00000000  00000000     00000000  00000000       00000000  00000000    00000000    00000016    0000000a       00000016       00002463
0000000a  00000000  00000000  00000000  00000009  00000000  00000000  00000000     00000000  00000001       00000001  00000000    00000000    00000000    00000004       00000000       000000eb
0000000a  00000000  00000000  00000000  00000008  00000000  00000000  00000000     00000000  00000007       00000007  00000000    00000000    00000000    00000004       00000000       00000100
0000000a  00000000  00000000  00000000  00000048  00000000  00000000  00000000     00000000  00000000       00000000  00000000    00000000    00000000    00000004       00000000       00000325
# conntrack -C
10
# conntrack -S
cpu=0       found=0 invalid=630 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=9315 
cpu=1       found=0 invalid=9 insert=0 insert_failed=1 drop=1 early_drop=0 error=0 search_restart=235 
cpu=2       found=0 invalid=8 insert=0 insert_failed=7 drop=7 early_drop=0 error=0 search_restart=256 
cpu=3       found=0 invalid=72 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=805 
# conntrack -S expect
cpu=0       expect_new=22 expect_create=10 expect_delete=22 
cpu=1       expect_new=0 expect_create=4 expect_delete=0 
cpu=2       expect_new=0 expect_create=4 expect_delete=0 
cpu=3       expect_new=0 expect_create=4 expect_delete=0 
#
0 + 0
narotello avatar
aq flag
narotello
Thanks, but where can I find the `new` statistics - 4th column of `/proc/net/stat/nf_conntrack`? I think `new` is important metric which can be used to calculate CPS (connections per second) metric.
0
Reply
narotello avatar
aq flag
narotello
Btw what does it mean that some metrics are per CPU? Seems that session table should be common, i.e. shared between CPU cores..
0
Reply
A.B avatar
cl flag
A.B
I already addressed your question by explaining why the file is missing and what could be done to get it back (change kernel) and went beyond. I don't have ready answers for these comments. Except that traffic is split among CPUs, so looks the same happens for the statistics.
0
Reply
Score:0
KittMedia avatar Server
gb flag
KittMedia

For me, the command modprobe nf_conntrack allowed using /proc/net/stat/nf_conntrack.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.