Man Pages

conntrack(8) - phpMan conntrack(8) - phpMan

Command: man perldoc info search(apropos)  


CONNTRACK(8)                                                      CONNTRACK(8)



NAME
       conntrack - command line interface for netfilter connection tracking

SYNOPSIS
       conntrack -L [table] [options] [-z]
       conntrack -G [table] parameters
       conntrack -D [table] parameters
       conntrack -I [table] parameters
       conntrack -U [table] parameters
       conntrack -E [table] [options]
       conntrack -F [table]
       conntrack -C [table]
       conntrack -S

DESCRIPTION
       conntrack  provides  a  full  featured  userspace interface to the netfilter connection tracking system that is
       intended to replace the old /proc/net/ip_conntrack interface. This tool can be used to  search,  list,  inspect
       and  maintain  the connection tracking subsystem of the Linux kernel.  Using conntrack , you can dump a list of
       all (or a filtered selection of) currently tracked connections, delete connections from the  state  table,  and
       even add new ones.

       In  addition,  you can also monitor connection tracking events, e.g. show an event message (one line) per newly
       established connection.

TABLES
       The connection tracking subsystem maintains two internal tables:

       conntrack:
              This is the default table.  It contains a list of all currently tracked connections through the  system.
              If  you  don't  use connection tracking exemptions (NOTRACK iptables target), this means all connections
              that go through the system.

       expect:
              This is the table of expectations.  Connection tracking expectations are the mechanism used to  "expect"
              RELATED  connections to existing ones.  Expectations are generally used by "connection tracking helpers"
              (sometimes called application level gateways [ALGs]) for more complex protocols such as FTP, SIP, H.323.

OPTIONS
       The options recognized by conntrack can be divided into several different groups.

   COMMANDS
       These  options  specify  the  particular  operation to perform.  Only one of them can be specified at any given
       time.

       -L --dump
              List connection tracking or expectation table

       -G, --get
              Search for and show a particular (matching) entry in the given table.

       -D, --delete
              Delete an entry from the given table.

       -I, --create
              Create a new entry from the given table.

       -U, --update
              Update an entry from the given table.

       -E, --event
              Display a real-time event log.

       -F, --flush
              Flush the whole given table

       -C, --count
              Show the table counter.

       -S, --stats
              Show the in-kernel connection tracking system statistics.

   PARAMETERS
       -z, --zero
              Atomically zero counters after reading them.  This option is only valid in  combination  with  the  "-L,
              --dump" command options.

       -o, --output [extended,xml,timestamp,id,ktimestamp,labels]
              Display  output  in  a  certain  format. With the extended output option, this tool displays the layer 3
              information. With ktimestamp, it displays the in-kernel timestamp available since 2.6.38 (you can enable
              it  via  echo  1 > /proc/sys/net/netfilter/nf_conntrack_timestamp).  The labels output option tells con-
              ntrack to show the names of connection tracking labels that might be present.

       -e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]
              Set the bitmask of events that are to be generated by the in-kernel ctnetlink event  code.   Using  this
              parameter,  you  can  reduce the event messages generated by the kernel to those types to those that you
              are actually interested in.  This option can only be used in conjunction with "-E, --event".

       -b, --buffer-size value (in bytes)
              Set the Netlink socket buffer size. This option is useful if  the  command  line  tool  reports  ENOBUFS
              errors.  If  you do not pass this option, the default value available at /proc/sys/net/core/rmem_default
              is used. The tool reports this problem if your process is too slow to handle all the event messages  or,
              in  other  words, if the amount of events are big enough to overrun the socket buffer. Note that using a
              big buffer reduces the chances to hit ENOBUFS, however, this results in more memory  consumption.   This
              option can only be used in conjunction with "-E, --event".

   FILTER PARAMETERS
       -s, --orig-src IP_ADDRESS
              Match  only entries whose source address in the original direction equals the one specified as argument.

       -d, --orig-dst IP_ADDRESS
              Match only entries whose destination address in the original direction equals the one specified as argu-
              ment.

       -r, --reply-src IP_ADDRESS
              Match only entries whose source address in the reply direction equals the one specified as argument.

       -q, --reply-dst IP_ADDRESS
              Match  only  entries  whose destination address in the reply direction equals the one specified as argu-
              ment.

       -p, --proto PROTO
              Specify layer four (TCP, UDP, ...) protocol.

       -f, --family PROTO
              Specify layer three (ipv4, ipv6) protocol This option is only required in conjunction with "-L, --dump".
              If this option is not passed, the default layer 3 protocol will be IPv4.

       -t, --timeout TIMEOUT
              Specify the timeout.

       -m, --mark MARK[/MASK]
              Specify  the  conntrack mark.  Optionally, a mask value can be specified.  In "--update" mode, this mask
              specifies the bits that should be zeroed before XORing the MARK value into the ctmark.   Otherwise,  the
              mask  is logically ANDed with the existing mark before the comparision.  In "--create" mode, the mask is
              ignored.

       -l, --label LABEL,...
              Specify the conntrack labels.  This option is only available in conjunction with "-L,  --dump"  or  "-E,
              --event".  Match entries whose labels matches at least those specified as arguments.

       -c, --secmark SECMARK
              Specify the conntrack selinux security mark.

       -u, --status [ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|UNSET][,...]
              Specify the conntrack status.

       -n, --src-nat
              Filter source NAT connections.

       -g, --dst-nat
              Filter destination NAT connections.

       -j, --any-nat
              Filter any NAT connections.

       -w, --zone
              Filter by conntrack zone. See iptables CT target for more information.

       --tuple-src IP_ADDRESS
              Specify the tuple source address of an expectation.

       --tuple-dst IP_ADDRESS
              Specify the tuple destination address of an expectation.

       --mask-src IP_ADDRESS
              Specify the source address mask of an expectation.

       --mask-dst IP_ADDRESS
              Specify the destination address mask of an expectation.

   PROTOCOL FILTER PARAMETERS
       TCP-specific fields:

       --sport, --orig-port-src PORT
              Source port in original direction

       --dport, --orig-port-dst PORT
              Destination port in original direction

       --reply-port-src PORT
              Source port in reply direction

       --reply-port-dst PORT
              Destination port in reply direction

       --state [NONE | SYN_SENT | SYN_RECV | ESTABLISHED | FIN_WAIT | CLOSE_WAIT | LAST_ACK | TIME_WAIT | CLOSE | LIS-
       TEN]
              TCP state

       UDP-specific fields:

       --sport, --orig-port-src PORT
              Source port in original direction

       --dport, --orig-port-dst PORT
              Destination port in original direction

       --reply-port-src PORT
              Source port in reply direction

       --reply-port-dst PORT
              Destination port in reply direction

       ICMP-specific fields:

       --icmp-type TYPE
              ICMP Type. Has to be specified numerically.

       --icmp-code CODE
              ICMP Code. Has to be specified numerically.

       --icmp-id ID
              ICMP Id. Has to be specified numerically (non-mandatory)

       UDPlite-specific fields:

       --sport, --orig-port-src PORT
              Source port in original direction

       --dport, --orig-port-dst PORT
              Destination port in original direction

       --reply-port-src PORT
              Source port in reply direction

       --reply-port-dst PORT
              Destination port in reply direction

       SCTP-specific fields:

       --sport, --orig-port-src PORT
              Source port in original direction

       --dport, --orig-port-dst PORT
              Destination port in original direction

       --reply-port-src PORT
              Source port in reply direction

       --reply-port-dst PORT
              Destination port in reply direction

       --state  [NONE  |  CLOSED  |  COOKIE_WAIT | COOKIE_ECHOED | ESTABLISHED | SHUTDOWN_SENT | SHUTDOWN_RECD | SHUT-
       DOWN_ACK_SENT]
              SCTP state

       --orig-vtag value
              Verification tag (32-bits value) in the original direction

       --reply-vtag value
              Verification tag (32-bits value) in the reply direction

       DCCP-specific fields (needs Linux >= 2.6.30):

       --sport, --orig-port-src PORT
              Source port in original direction

       --dport, --orig-port-dst PORT
              Destination port in original direction

       --reply-port-src PORT
              Source port in reply direction

       --reply-port-dst PORT
              Destination port in reply direction

       --state [NONE | REQUEST | RESPOND | PARTOPEN | OPEN | CLOSEREQ | CLOSING | TIMEWAIT]
              DCCP state --role [client | server] Role that the original conntrack tuple is tracking

       GRE-specific fields:

       --srckey, --orig-key-src KEY
              Source key in original direction (in hexadecimal or decimal)

       --dstkey, --orig-key-dst KEY
              Destination key in original direction (in hexadecimal or decimal)

       --reply-key-src KEY
              Source key in reply direction (in hexadecimal or decimal)

       --reply-key-dst KEY
              Destination key in reply direction (in hexadecimal or decimal)


       DIAGNOSTICS
              The  exit  code  is  0  for  correct function.  Errors which appear to be caused by invalid command line
              parameters cause an exit code of 2.  Any other errors cause an exit code of 1.

EXAMPLES
       conntrack -L
              Show the connection tracking table in /proc/net/ip_conntrack format

       conntrack -L -o extended
              Show the connection tracking table in /proc/net/nf_conntrack format

       conntrack -L -o xml
              Show the connection tracking table in XML

       conntrack -L -f ipv6 -o extended
              Only dump IPv6 connections in /proc/net/nf_conntrack format

       conntrack -L --src-nat
              Show source NAT connections

       conntrack -E -o timestamp
              Show connection events together with the timestamp

       conntrack -D -s 1.2.3.4
              Delete all flow whose source address is 1.2.3.4

       conntrack -U -s 1.2.3.4 -m 1
              Set connmark to 1 of all the flows whose source address is 1.2.3.4

BUGS
       Please,  report  them  to   netfilter-develATvger.org   or   file   a   bug   in   Netfilter's   bugzilla
       (https://bugzilla.netfilter.org).

SEE ALSO
       iptables(8)
       See http://conntrack-tools.netfilter.org

AUTHORS
       Jay  Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote the kernel-level "ctnetlink" interface
       that is used by the conntrack tool.

       Pablo Neira Ayuso wrote and maintain the conntrack  tool,  Harald  Welte  added  support  for  conntrack  based
       accounting counters.

       Man page written by Harald Welte <laforgeATnetfilter.org> and Pablo Neira Ayuso <pabloATnetfilter.org>.



                                  Jul 5, 2010                     CONNTRACK(8)