Why do the numbers shown in ip_conntrack_count and conntrack -L differ

Question

I noticed the following today on our router:

user@router:~$ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count 
28141

However:

user@router:~$ sudo conntrack -L > /dev/null 
conntrack v1.2.1 (conntrack-tools): 4652 flow entries have been shown.

user@router:~$ sudo conntrack -L expect > /dev/null 
conntrack v1.2.1 (conntrack-tools): 1 expectations have been shown.

My understanding is that ip_conntrack_count shows the number of entries of the conntrack table. What am I missing?

score 0 · Accepted Answer · answered Jul 04 '16 at 09:33

The answer is that conntrack only lists IPv4 connections by default. If I do

user@router:~$ sudo conntrack -L -f ipv6 > /dev/null 
conntrack v1.2.1 (conntrack-tools): 23864 flow entries have been shown.

user@router:~$ sudo conntrack -L  > /dev/null 
conntrack v1.2.1 (conntrack-tools): 6713 flow entries have been shown.

then the sum of the two results add up to the number in /proc/sys/net/ipv4/netfilter/ip_conntrack_count.

The pathname of this proc entry is actually pretty misleading as the count is for both IPv4 and IPv6.

Why do the numbers shown in ip_conntrack_count and conntrack -L differ

1 Answers1