CONNTRACK(8) - phpMan

CONNTRACK(8) CONNTRACK(8)

NAME
conntrack - command line interface for netfilter connection tracking

SYNOPSIS
conntrack -L [table] [options] [-z]
conntrack -G [table] parameters
conntrack -D [table] parameters
conntrack -I [table] parameters
conntrack -U [table] parameters
conntrack -E [table] [options]
conntrack -F [table]
conntrack -C [table]
conntrack -S

DESCRIPTION
conntrack provides a full featured userspace interface to the netfilter connection track-
ing system that is intended to replace the old /proc/net/ip_conntrack interface. This tool
can be used to search, list, inspect and maintain the connection tracking subsystem of the
Linux kernel. Using conntrack , you can dump a list of all (or a filtered selection of)
currently tracked connections, delete connections from the state table, and even add new
ones.

In addition, you can also monitor connection tracking events, e.g. show an event message
(one line) per newly established connection.

TABLES
The connection tracking subsystem maintains two internal tables:

conntrack:
This is the default table. It contains a list of all currently tracked connections
through the system. If you don't use connection tracking exemptions (NOTRACK ipta-
bles target), this means all connections that go through the system.

expect:
This is the table of expectations. Connection tracking expectations are the mecha-
nism used to "expect" RELATED connections to existing ones. Expectations are gen-
erally used by "connection tracking helpers" (sometimes called application level
gateways [ALGs]) for more complex protocols such as FTP, SIP, H.323.

dying: This table shows the conntrack entries, that have expired and that have been
destroyed by the connection tracking system itself, or via the conntrack utility.

unconfirmed:
This table shows new entries, that are not yet inserted into the conntrack table.
These entries are attached to packets that are traversing the stack, but did not
reach the confirmation point at the postrouting hook.

The tables "dying" and "unconfirmed" are basically only useful for debugging purposes.
Under normal operation, it is hard to see entries in any of them. There are corner cases,
where it is valid to see entries in the unconfirmed table, eg. when packets that are
enqueued via nfqueue, and the dying table, eg. when conntrackd runs in event reliable
mode.

OPTIONS
The options recognized by conntrack can be divided into several different groups.

COMMANDS
These options specify the particular operation to perform. Only one of them can be speci-
fied at any given time.

-L --dump
List connection tracking or expectation table

-G, --get
Search for and show a particular (matching) entry in the given table.

-D, --delete
Delete an entry from the given table.

-I, --create
Create a new entry from the given table.

-U, --update
Update an entry from the given table.

-E, --event
Display a real-time event log.

-F, --flush
Flush the whole given table

-C, --count
Show the table counter.

-S, --stats
Show the in-kernel connection tracking system statistics.

PARAMETERS
-z, --zero
Atomically zero counters after reading them. This option is only valid in combina-
tion with the "-L, --dump" command options.

-o, --output [extended,xml,timestamp,id,ktimestamp,labels]
Display output in a certain format. With the extended output option, this tool dis-
plays the layer 3 information. With ktimestamp, it displays the in-kernel timestamp
available since 2.6.38 (you can enable it via echo 1 > /proc/sys/net/netfil-
ter/nf_conntrack_timestamp). The labels output option tells conntrack to show the
names of connection tracking labels that might be present.

-e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]
Set the bitmask of events that are to be generated by the in-kernel ctnetlink event
code. Using this parameter, you can reduce the event messages generated by the
kernel to those types to those that you are actually interested in. This option
can only be used in conjunction with "-E, --event".

-b, --buffer-size value (in bytes)
Set the Netlink socket buffer size. This option is useful if the command line tool
reports ENOBUFS errors. If you do not pass this option, the default value available
at /proc/sys/net/core/rmem_default is used. The tool reports this problem if your
process is too slow to handle all the event messages or, in other words, if the
amount of events are big enough to overrun the socket buffer. Note that using a big
buffer reduces the chances to hit ENOBUFS, however, this results in more memory
consumption. This option can only be used in conjunction with "-E, --event".

FILTER PARAMETERS
-s, --src, --orig-src IP_ADDRESS
Match only entries whose source address in the original direction equals the one
specified as argument. Implies "--mask-src" when CIDR notation is used.

-d, --dst, --orig-dst IP_ADDRESS
Match only entries whose destination address in the original direction equals the
one specified as argument. Implies "--mask-dst" when CIDR notation is used.

-r, --reply-src IP_ADDRESS
Match only entries whose source address in the reply direction equals the one spec-
ified as argument.

-q, --reply-dst IP_ADDRESS
Match only entries whose destination address in the reply direction equals the one
specified as argument.

-p, --proto PROTO
Specify layer four (TCP, UDP, ...) protocol.

-f, --family PROTO
Specify layer three (ipv4, ipv6) protocol This option is only required in conjunc-
tion with "-L, --dump". If this option is not passed, the default layer 3 protocol
will be IPv4.

-t, --timeout TIMEOUT
Specify the timeout.

-m, --mark MARK[/MASK]
Specify the conntrack mark. Optionally, a mask value can be specified. In
"--update" mode, this mask specifies the bits that should be zeroed before XORing
the MARK value into the ctmark. Otherwise, the mask is logically ANDed with the
existing mark before the comparision. In "--create" mode, the mask is ignored.

-l, --label LABEL
Specify a conntrack label. This option is only available in conjunction with "-L,
--dump", "-E, --event", "-U --update" or "-D --delete". Match entries whose labels
match at least those specified. Use multiple -l commands to specify multiple
labels that need to be set. Match entries whose labels matches at least those
specified as arguments. --label-add LABEL Specify the conntrack label to add to to
the selected conntracks. This option is only available in conjunction with "-I,
--create" or "-U, --update". --label-del [LABEL] Specify the conntrack label to
delete from the selected conntracks. If no label is given, all labels are deleted.
This option is only available in conjunction with "-U, --update".

-c, --secmark SECMARK
Specify the conntrack selinux security mark.

-u, --status [ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|UNSET][,...]
Specify the conntrack status.

-n, --src-nat
Filter source NAT connections.

-g, --dst-nat
Filter destination NAT connections.

-j, --any-nat
Filter any NAT connections.

-w, --zone
Filter by conntrack zone. See iptables CT target for more information.

--orig-zone
Filter by conntrack zone in original direction. See iptables CT target for more
information.

--reply-zone
Filter by conntrack zone in reply direction. See iptables CT target for more
information.

--tuple-src IP_ADDRESS
Specify the tuple source address of an expectation. Implies "--mask-src" when CIDR
notation is used.

--tuple-dst IP_ADDRESS
Specify the tuple destination address of an expectation. Implies "--mask-dst" when
CIDR notation is used.

--mask-src IP_ADDRESS
Specify the source address mask. For conntrack this option is only available in
conjunction with "-L, --dump", "-E, --event", "-U --update" or "-D --delete". For
expectations this option is only available in conjunction with "-I, --create".

--mask-dst IP_ADDRESS
Specify the destination address mask. Same limitations as for "--mask-src".

PROTOCOL FILTER PARAMETERS
TCP-specific fields:

--sport, --orig-port-src PORT
Source port in original direction

--dport, --orig-port-dst PORT
Destination port in original direction

--reply-port-src PORT
Source port in reply direction

--reply-port-dst PORT
Destination port in reply direction

UDP-specific fields:

--sport, --orig-port-src PORT
Source port in original direction

--dport, --orig-port-dst PORT
Destination port in original direction

--reply-port-src PORT
Source port in reply direction

--reply-port-dst PORT
Destination port in reply direction

ICMP-specific fields:

--icmp-type TYPE
ICMP Type. Has to be specified numerically.

--icmp-code CODE
ICMP Code. Has to be specified numerically.

--icmp-id ID
ICMP Id. Has to be specified numerically (non-mandatory)

UDPlite-specific fields:

--sport, --orig-port-src PORT
Source port in original direction

--dport, --orig-port-dst PORT
Destination port in original direction

--reply-port-src PORT
Source port in reply direction

--reply-port-dst PORT
Destination port in reply direction

SCTP-specific fields:

--sport, --orig-port-src PORT
Source port in original direction

--dport, --orig-port-dst PORT
Destination port in original direction

--reply-port-src PORT
Source port in reply direction

--reply-port-dst PORT
Destination port in reply direction

--orig-vtag value
Verification tag (32-bits value) in the original direction

--reply-vtag value
Verification tag (32-bits value) in the reply direction

DCCP-specific fields (needs Linux >= 2.6.30):

--sport, --orig-port-src PORT
Source port in original direction

--dport, --orig-port-dst PORT
Destination port in original direction

--reply-port-src PORT
Source port in reply direction

--reply-port-dst PORT
Destination port in reply direction

GRE-specific fields:

--srckey, --orig-key-src KEY
Source key in original direction (in hexadecimal or decimal)

--dstkey, --orig-key-dst KEY
Destination key in original direction (in hexadecimal or decimal)

--reply-key-src KEY
Source key in reply direction (in hexadecimal or decimal)

--reply-key-dst KEY
Destination key in reply direction (in hexadecimal or decimal)

DIAGNOSTICS
The exit code is 0 for correct function. Errors which appear to be caused by
invalid command line parameters cause an exit code of 2. Any other errors cause an
exit code of 1.

EXAMPLES
conntrack -L
Show the connection tracking table in /proc/net/ip_conntrack format

conntrack -L -o extended
Show the connection tracking table in /proc/net/nf_conntrack format

conntrack -L -o xml
Show the connection tracking table in XML

conntrack -L -f ipv6 -o extended
Only dump IPv6 connections in /proc/net/nf_conntrack format

conntrack -L --src-nat
Show source NAT connections

conntrack -E -o timestamp
Show connection events together with the timestamp

conntrack -D -s 1.2.3.4
Delete all flow whose source address is 1.2.3.4

conntrack -U -s 1.2.3.4 -m 1
Set connmark to 1 of all the flows whose source address is 1.2.3.4

BUGS
Please, report them to netfilter-devel AT vger.org or file a bug in Netfilter's
bugzilla (https://bugzilla.netfilter.org).

SEE ALSO
iptables(8)
See http://conntrack-tools.netfilter.org

AUTHORS
Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote the kernel-level
"ctnetlink" interface that is used by the conntrack tool.

Pablo Neira Ayuso wrote and maintain the conntrack tool, Harald Welte added support for
conntrack based accounting counters.

Man page written by Harald Welte <laforge AT netfilter.org> and Pablo Neira Ayuso <pablo@net-
filter.org>.

Aug 24, 2015 CONNTRACK(8)

Generated by $Id: phpMan.php,v 4.55 2007/09/05 04:42:51 chedong Exp $ Author: Che Dong
On Apache
Under GNU General Public License
2024-04-20 06:12 @3.21.104.137 CrawledBy Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)