Statistics /proc/net/stat/nf_conntrack is missing on Linux server

Solution 1:

The relevant required configuration needed to have conntrack available in /proc is CONFIG_NF_CONNTRACK_PROCFS:

CONFIG_NF_CONNTRACK_PROCFS: Supply CT list in procfs (OBSOLETE)

[...]

Help text

This option enables for the list of known conntrack entries to be shown in procfs under net/netfilter/nf_conntrack. This is considered obsolete in favor of using the conntrack(8) tool which uses Netlink.

OP's kernel appears to have been built with features described in this package: linux-buildinfo-5.4.0-87-generic.

Alas content of /usr/lib/linux/5.4.0-87-generic/config from package above tells:

# CONFIG_NF_CONNTRACK_PROCFS is not set

So the two /proc/ entries usually provided by conntrack: /proc/net/nf_conntrack and /proc/net/stat/nf_conntrack will not exist.

As the documentation tells, this has been obsoleted by the conntrack tool which uses the netlink(7) kernel API instead.

Most of the content of /proc/net/stat/nf_conntrack can be replaced by:

conntrack --count

which gives the number of entries (this is the first column of data present in /proc/net/stat/nf_conntrack) and:

conntrack --stats
conntrack --stats expect

which gives the content of most of the other columns available in /proc/net/stat/nf_conntrack, sometimes for the (main) conntrack table, sometimes for the expect table, one per CPU as well. A few statistics don't appear to be available this way (or might be hidden elsewhere, or might have been obsoleted ...).

If you really need /proc/net/stat/nf_conntrack you'll have to switch to an other kernel with this feature available or rebuild the kernel with different options. This kernel option doesn't appear to be chosen by Ubuntu anymore, including in newer kernel versions.

For reference, here's an example from a different kernel having this option and running with 4 CPUs:

# cat /proc/net/stat/nf_conntrack | column -t
entries   clashres  found     new       invalid   ignore    delete    delete_list  insert    insert_failed  drop      early_drop  icmp_error  expect_new  expect_create  expect_delete  search_restart
0000000a  00000092  00000000  00000000  00000276  00000000  00000000  00000000     00000000  00000000       00000000  00000000    00000000    00000016    0000000a       00000016       00002463
0000000a  00000000  00000000  00000000  00000009  00000000  00000000  00000000     00000000  00000001       00000001  00000000    00000000    00000000    00000004       00000000       000000eb
0000000a  00000000  00000000  00000000  00000008  00000000  00000000  00000000     00000000  00000007       00000007  00000000    00000000    00000000    00000004       00000000       00000100
0000000a  00000000  00000000  00000000  00000048  00000000  00000000  00000000     00000000  00000000       00000000  00000000    00000000    00000000    00000004       00000000       00000325
# conntrack -C
10
# conntrack -S
cpu=0       found=0 invalid=630 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=9315 
cpu=1       found=0 invalid=9 insert=0 insert_failed=1 drop=1 early_drop=0 error=0 search_restart=235 
cpu=2       found=0 invalid=8 insert=0 insert_failed=7 drop=7 early_drop=0 error=0 search_restart=256 
cpu=3       found=0 invalid=72 insert=0 insert_failed=0 drop=0 early_drop=0 error=0 search_restart=805 
# conntrack -S expect
cpu=0       expect_new=22 expect_create=10 expect_delete=22 
cpu=1       expect_new=0 expect_create=4 expect_delete=0 
cpu=2       expect_new=0 expect_create=4 expect_delete=0 
cpu=3       expect_new=0 expect_create=4 expect_delete=0 
#