CONNTRACK(8)CONNTRACK(8)NAMEconntrack - command line interface for netfilter connection tracking
SYNOPSISconntrack-L [table] [options] [-z]
conntrack-G [table] parameters
conntrack-D [table] parameters
conntrack-I [table] parameters
conntrack-U [table] parameters
conntrack-E [table] [options]
conntrack-F [table]
conntrack-C [table]
conntrack-S
DESCRIPTIONconntrack provides a full featured userspace interface to the netfilter
connection tracking system that is intended to replace the old
/proc/net/ip_conntrack interface. This tool can be used to search,
list, inspect and maintain the connection tracking subsystem of the
Linux kernel. Using conntrack , you can dump a list of all (or a fil‐
tered selection of) currently tracked connections, delete connections
from the state table, and even add new ones.
In addition, you can also monitor connection tracking events, e.g. show
an event message (one line) per newly established connection.
TABLES
The connection tracking subsystem maintains two internal tables:
conntrack:
This is the default table. It contains a list of all currently
tracked connections through the system. If you don't use con‐
nection tracking exemptions (NOTRACK iptables target), this
means all connections that go through the system.
expect:
This is the table of expectations. Connection tracking expecta‐
tions are the mechanism used to "expect" RELATED connections to
existing ones. Expectations are generally used by "connection
tracking helpers" (sometimes called application level gateways
[ALGs]) for more complex protocols such as FTP, SIP, H.323.
OPTIONS
The options recognized by conntrack can be divided into several differ‐
ent groups.
COMMANDS
These options specify the particular operation to perform. Only one of
them can be specified at any given time.
-L --dump
List connection tracking or expectation table
-G, --get
Search for and show a particular (matching) entry in the given
table.
-D, --delete
Delete an entry from the given table.
-I, --create
Create a new entry from the given table.
-U, --update
Update an entry from the given table.
-E, --event
Display a real-time event log.
-F, --flush
Flush the whole given table
-C, --count
Show the table counter.
-S, --stats
Show the in-kernel connection tracking system statistics.
PARAMETERS
-z, --zero
Atomically zero counters after reading them. This option is
only valid in combination with the "-L, --dump" command options.
-o, --output [extended,xml,timestamp,id,ktimestamp,labels]
Display output in a certain format. With the extended output
option, this tool displays the layer 3 information. With ktimes‐
tamp, it displays the in-kernel timestamp available since 2.6.38
(you can enable it via echo 1 > /proc/sys/net/netfilter/nf_con‐
ntrack_timestamp). The labels output option tells conntrack to
show the names of connection tracking labels that might be
present.
-e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]
Set the bitmask of events that are to be generated by the in-
kernel ctnetlink event code. Using this parameter, you can
reduce the event messages generated by the kernel to those types
to those that you are actually interested in. This option can
only be used in conjunction with "-E, --event".
-b, --buffer-size value (in bytes)
Set the Netlink socket buffer size. This option is useful if the
command line tool reports ENOBUFS errors. If you do not pass
this option, the default value available at
/proc/sys/net/core/rmem_default is used. The tool reports this
problem if your process is too slow to handle all the event mes‐
sages or, in other words, if the amount of events are big enough
to overrun the socket buffer. Note that using a big buffer
reduces the chances to hit ENOBUFS, however, this results in
more memory consumption. This option can only be used in con‐
junction with "-E, --event".
FILTER PARAMETERS
-s, --orig-src IP_ADDRESS
Match only entries whose source address in the original direc‐
tion equals the one specified as argument.
-d, --orig-dst IP_ADDRESS
Match only entries whose destination address in the original
direction equals the one specified as argument.
-r, --reply-src IP_ADDRESS
Match only entries whose source address in the reply direction
equals the one specified as argument.
-q, --reply-dst IP_ADDRESS
Match only entries whose destination address in the reply direc‐
tion equals the one specified as argument.
-p, --proto PROTO
Specify layer four (TCP, UDP, ...) protocol.
-f, --family PROTO
Specify layer three (ipv4, ipv6) protocol This option is only
required in conjunction with "-L, --dump". If this option is not
passed, the default layer 3 protocol will be IPv4.
-t, --timeout TIMEOUT
Specify the timeout.
-m, --mark MARK[/MASK]
Specify the conntrack mark. Optionally, a mask value can be
specified. In "--update" mode, this mask specifies the bits
that should be zeroed before XORing the MARK value into the
ctmark. Otherwise, the mask is logically ANDed with the exist‐
ing mark before the comparision. In "--create" mode, the mask
is ignored.
-l, --label LABEL,...
Specify the conntrack labels. This option is only available in
conjunction with "-L, --dump" or "-E, --event". Match entries
whose labels matches at least those specified as arguments.
-c, --secmark SECMARK
Specify the conntrack selinux security mark.
-u, --status [ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|UNSET][,...]
Specify the conntrack status.
-n, --src-nat
Filter source NAT connections.
-g, --dst-nat
Filter destination NAT connections.
-j, --any-nat
Filter any NAT connections.
-w, --zone
Filter by conntrack zone. See iptables CT target for more infor‐
mation.
--tuple-src IP_ADDRESS
Specify the tuple source address of an expectation.
--tuple-dst IP_ADDRESS
Specify the tuple destination address of an expectation.
--mask-src IP_ADDRESS
Specify the source address mask of an expectation.
--mask-dst IP_ADDRESS
Specify the destination address mask of an expectation.
PROTOCOL FILTER PARAMETERS
TCP-specific fields:
--sport, --orig-port-src PORT
Source port in original direction
--dport, --orig-port-dst PORT
Destination port in original direction
--reply-port-src PORT
Source port in reply direction
--reply-port-dst PORT
Destination port in reply direction
--state [NONE | SYN_SENT | SYN_RECV | ESTABLISHED | FIN_WAIT |
CLOSE_WAIT | LAST_ACK | TIME_WAIT | CLOSE | LISTEN]
TCP state
UDP-specific fields:
--sport, --orig-port-src PORT
Source port in original direction
--dport, --orig-port-dst PORT
Destination port in original direction
--reply-port-src PORT
Source port in reply direction
--reply-port-dst PORT
Destination port in reply direction
ICMP-specific fields:
--icmp-type TYPE
ICMP Type. Has to be specified numerically.
--icmp-code CODE
ICMP Code. Has to be specified numerically.
--icmp-id ID
ICMP Id. Has to be specified numerically (non-mandatory)
UDPlite-specific fields:
--sport, --orig-port-src PORT
Source port in original direction
--dport, --orig-port-dst PORT
Destination port in original direction
--reply-port-src PORT
Source port in reply direction
--reply-port-dst PORT
Destination port in reply direction
SCTP-specific fields:
--sport, --orig-port-src PORT
Source port in original direction
--dport, --orig-port-dst PORT
Destination port in original direction
--reply-port-src PORT
Source port in reply direction
--reply-port-dst PORT
Destination port in reply direction
--state [NONE | CLOSED | COOKIE_WAIT | COOKIE_ECHOED | ESTABLISHED |
SHUTDOWN_SENT | SHUTDOWN_RECD | SHUTDOWN_ACK_SENT]
SCTP state
--orig-vtag value
Verification tag (32-bits value) in the original direction
--reply-vtag value
Verification tag (32-bits value) in the reply direction
DCCP-specific fields (needs Linux >= 2.6.30):
--sport, --orig-port-src PORT
Source port in original direction
--dport, --orig-port-dst PORT
Destination port in original direction
--reply-port-src PORT
Source port in reply direction
--reply-port-dst PORT
Destination port in reply direction
--state [NONE | REQUEST | RESPOND | PARTOPEN | OPEN | CLOSEREQ | CLOS‐
ING | TIMEWAIT]
DCCP state --role [client | server] Role that the original con‐
ntrack tuple is tracking
GRE-specific fields:
--srckey, --orig-key-src KEY
Source key in original direction (in hexadecimal or decimal)
--dstkey, --orig-key-dst KEY
Destination key in original direction (in hexadecimal or deci‐
mal)
--reply-key-src KEY
Source key in reply direction (in hexadecimal or decimal)
--reply-key-dst KEY
Destination key in reply direction (in hexadecimal or decimal)
DIAGNOSTICS
The exit code is 0 for correct function. Errors which appear to
be caused by invalid command line parameters cause an exit code
of 2. Any other errors cause an exit code of 1.
EXAMPLESconntrack-L
Show the connection tracking table in /proc/net/ip_conntrack
format
conntrack-L -o extended
Show the connection tracking table in /proc/net/nf_conntrack
format
conntrack-L -o xml
Show the connection tracking table in XML
conntrack-L -f ipv6 -o extended
Only dump IPv6 connections in /proc/net/nf_conntrack format
conntrack-L --src-nat
Show source NAT connections
conntrack-E -o timestamp
Show connection events together with the timestamp
conntrack-D -s 1.2.3.4
Delete all flow whose source address is 1.2.3.4
conntrack-U -s 1.2.3.4 -m 1
Set connmark to 1 of all the flows whose source address is
1.2.3.4
BUGS
Please, report them to netfilter-devel@vger.kernel.org or file a bug in
Netfilter's bugzilla (https://bugzilla.netfilter.org).
SEE ALSOiptables(8)
See http://conntrack-tools.netfilter.org
AUTHORS
Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote
the kernel-level "ctnetlink" interface that is used by the conntrack
tool.
Pablo Neira Ayuso wrote and maintain the conntrack tool, Harald Welte
added support for conntrack based accounting counters.
Man page written by Harald Welte <laforge@netfilter.org> and Pablo
Neira Ayuso <pablo@netfilter.org>.
Jul 5, 2010 CONNTRACK(8)
