bionic (8) conntrack.8.gz

Provided by: conntrack_1.4.4+snapshot20161117-6ubuntu2_amd64 bug

NAME

       conntrack - command line interface for netfilter connection tracking

SYNOPSIS

       conntrack -L [table] [options] [-z]
       conntrack -G [table] parameters
       conntrack -D [table] parameters
       conntrack -I [table] parameters
       conntrack -U [table] parameters
       conntrack -E [table] [options]
       conntrack -F [table]
       conntrack -C [table]
       conntrack -S

DESCRIPTION

       conntrack  provides  a full featured userspace interface to the netfilter connection tracking system that
       is intended to replace the old /proc/net/ip_conntrack interface. This tool can be used to  search,  list,
       inspect  and  maintain  the connection tracking subsystem of the Linux kernel.  Using conntrack , you can
       dump a list of all (or a filtered selection of) currently tracked connections,  delete  connections  from
       the state table, and even add new ones.

       In  addition,  you can also monitor connection tracking events, e.g. show an event message (one line) per
       newly established connection.

TABLES

       The connection tracking subsystem maintains two internal tables:

       conntrack:
              This is the default table.  It contains a list of all currently tracked  connections  through  the
              system.  If you don't use connection tracking exemptions (NOTRACK iptables target), this means all
              connections that go through the system.

       expect:
              This is the table of expectations.  Connection tracking expectations are  the  mechanism  used  to
              "expect"  RELATED  connections  to  existing ones.  Expectations are generally used by "connection
              tracking helpers" (sometimes called application level gateways [ALGs]) for more complex  protocols
              such as FTP, SIP, H.323.

       dying: This  table  shows  the  conntrack  entries, that have expired and that have been destroyed by the
              connection tracking system itself, or via the conntrack utility.

       unconfirmed:
              This table shows new entries, that are not yet inserted into the conntrack table.   These  entries
              are attached to packets that are traversing the stack, but did not reach the confirmation point at
              the postrouting hook.

       The tables "dying" and "unconfirmed" are basically only useful  for  debugging  purposes.   Under  normal
       operation,  it  is  hard to see entries in any of them.  There are corner cases, where it is valid to see
       entries in the unconfirmed table, eg. when packets that are enqueued via nfqueue, and  the  dying  table,
       eg. when conntrackd runs in event reliable mode.

OPTIONS

       The options recognized by conntrack can be divided into several different groups.

   COMMANDS
       These  options  specify  the  particular  operation to perform.  Only one of them can be specified at any
       given time.

       -L --dump
              List connection tracking or expectation table

       -G, --get
              Search for and show a particular (matching) entry in the given table.

       -D, --delete
              Delete an entry from the given table.

       -I, --create
              Create a new entry from the given table.

       -U, --update
              Update an entry from the given table.

       -E, --event
              Display a real-time event log.

       -F, --flush
              Flush the whole given table

       -C, --count
              Show the table counter.

       -S, --stats
              Show the in-kernel connection tracking system statistics.

   PARAMETERS
       -z, --zero
              Atomically zero counters after reading them.  This option is only valid in  combination  with  the
              "-L, --dump" command options.

       -o, --output [extended,xml,timestamp,id,ktimestamp,labels]
              Display  output in a certain format. With the extended output option, this tool displays the layer
              3 information. With ktimestamp, it displays the in-kernel timestamp available  since  2.6.38  (you
              can  enable  it  via  echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp).  The labels output
              option tells conntrack to show the names of connection tracking labels that might be present.

       -e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]
              Set the bitmask of events that are to be generated by the in-kernel ctnetlink event  code.   Using
              this  parameter, you can reduce the event messages generated by the kernel to those types to those
              that you are actually interested in.  This option can  only  be  used  in  conjunction  with  "-E,
              --event".

       -b, --buffer-size value (in bytes)
              Set the Netlink socket buffer size. This option is useful if the command line tool reports ENOBUFS
              errors.   If   you   do   not   pass   this   option,   the    default    value    available    at
              /proc/sys/net/core/rmem_default is used. The tool reports this problem if your process is too slow
              to handle all the event messages or, in other words, if the amount of events  are  big  enough  to
              overrun  the  socket  buffer.  Note  that  using  a big buffer reduces the chances to hit ENOBUFS,
              however, this results in more memory consumption.  This option can only  be  used  in  conjunction
              with "-E, --event".

   FILTER PARAMETERS
       -s, --src, --orig-src IP_ADDRESS
              Match  only  entries  whose  source  address in the original direction equals the one specified as
              argument.  Implies "--mask-src" when CIDR notation is used.

       -d, --dst, --orig-dst IP_ADDRESS
              Match only entries whose destination address in the original direction equals the one specified as
              argument.  Implies "--mask-dst" when CIDR notation is used.

       -r, --reply-src IP_ADDRESS
              Match  only  entries  whose  source  address  in  the  reply direction equals the one specified as
              argument.

       -q, --reply-dst IP_ADDRESS
              Match only entries whose destination address in the reply direction equals the  one  specified  as
              argument.

       -p, --proto PROTO
              Specify layer four (TCP, UDP, ...) protocol.

       -f, --family PROTO
              Specify  layer  three  (ipv4, ipv6) protocol This option is only required in conjunction with "-L,
              --dump". If this option is not passed, the default layer 3 protocol will be IPv4.

       -t, --timeout TIMEOUT
              Specify the timeout.

       -m, --mark MARK[/MASK]
              Specify the conntrack mark.  Optionally, a mask value can be specified.  In "--update" mode,  this
              mask  specifies  the  bits  that  should  be  zeroed before XORing the MARK value into the ctmark.
              Otherwise, the mask is logically  ANDed  with  the  existing  mark  before  the  comparision.   In
              "--create" mode, the mask is ignored.

       -l, --label LABEL
              Specify  a  conntrack label.  This option is only available in conjunction with "-L, --dump", "-E,
              --event", "-U --update" or "-D --delete".   Match  entries  whose  labels  match  at  least  those
              specified.   Use  multiple  -l  commands  to  specify  multiple labels that need to be set.  Match
              entries whose labels matches at least those specified as arguments.  --label-add LABEL Specify the
              conntrack  label  to  add  to  to  the  selected  conntracks.   This  option  is only available in
              conjunction with "-I, --create" or "-U, --update".   --label-del  [LABEL]  Specify  the  conntrack
              label to delete from the selected conntracks.  If no label is given, all labels are deleted.  This
              option is only available in conjunction with "-U, --update".

       -c, --secmark SECMARK
              Specify the conntrack selinux security mark.

       -u, --status [ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|UNSET][,...]
              Specify the conntrack status.

       -n, --src-nat
              Filter source NAT connections.

       -g, --dst-nat
              Filter destination NAT connections.

       -j, --any-nat
              Filter any NAT connections.

       -w, --zone
              Filter by conntrack zone. See iptables CT target for more information.

       --orig-zone
              Filter by conntrack zone in original direction.  See iptables CT target for more information.

       --reply-zone
              Filter by conntrack zone in reply direction.  See iptables CT target for more information.

       --tuple-src IP_ADDRESS
              Specify the tuple source address of an expectation.  Implies "--mask-src" when  CIDR  notation  is
              used.

       --tuple-dst IP_ADDRESS
              Specify  the tuple destination address of an expectation.  Implies "--mask-dst" when CIDR notation
              is used.

       --mask-src IP_ADDRESS
              Specify the source address mask.  For conntrack this option is only available in conjunction  with
              "-L, --dump", "-E, --event", "-U --update" or "-D --delete".  For expectations this option is only
              available in conjunction with "-I, --create".

       --mask-dst IP_ADDRESS
              Specify the destination address mask.  Same limitations as for "--mask-src".

   PROTOCOL FILTER PARAMETERS
       TCP-specific fields:

       --sport, --orig-port-src PORT
              Source port in original direction

       --dport, --orig-port-dst PORT
              Destination port in original direction

       --reply-port-src PORT
              Source port in reply direction

       --reply-port-dst PORT
              Destination port in reply direction

       --state [NONE | SYN_SENT | SYN_RECV | ESTABLISHED | FIN_WAIT | CLOSE_WAIT | LAST_ACK | TIME_WAIT |  CLOSE
       | LISTEN]
              TCP state

       UDP-specific fields:

       --sport, --orig-port-src PORT
              Source port in original direction

       --dport, --orig-port-dst PORT
              Destination port in original direction

       --reply-port-src PORT
              Source port in reply direction

       --reply-port-dst PORT
              Destination port in reply direction

       ICMP-specific fields:

       --icmp-type TYPE
              ICMP Type. Has to be specified numerically.

       --icmp-code CODE
              ICMP Code. Has to be specified numerically.

       --icmp-id ID
              ICMP Id. Has to be specified numerically (non-mandatory)

       UDPlite-specific fields:

       --sport, --orig-port-src PORT
              Source port in original direction

       --dport, --orig-port-dst PORT
              Destination port in original direction

       --reply-port-src PORT
              Source port in reply direction

       --reply-port-dst PORT
              Destination port in reply direction

       SCTP-specific fields:

       --sport, --orig-port-src PORT
              Source port in original direction

       --dport, --orig-port-dst PORT
              Destination port in original direction

       --reply-port-src PORT
              Source port in reply direction

       --reply-port-dst PORT
              Destination port in reply direction

       --state  [NONE  |  CLOSED  |  COOKIE_WAIT | COOKIE_ECHOED | ESTABLISHED | SHUTDOWN_SENT | SHUTDOWN_RECD |
       SHUTDOWN_ACK_SENT]
              SCTP state

       --orig-vtag value
              Verification tag (32-bits value) in the original direction

       --reply-vtag value
              Verification tag (32-bits value) in the reply direction

       DCCP-specific fields (needs Linux >= 2.6.30):

       --sport, --orig-port-src PORT
              Source port in original direction

       --dport, --orig-port-dst PORT
              Destination port in original direction

       --reply-port-src PORT
              Source port in reply direction

       --reply-port-dst PORT
              Destination port in reply direction

       --state [NONE | REQUEST | RESPOND | PARTOPEN | OPEN | CLOSEREQ | CLOSING | TIMEWAIT]
              DCCP state --role [client | server] Role that the original conntrack tuple is tracking

       GRE-specific fields:

       --srckey, --orig-key-src KEY
              Source key in original direction (in hexadecimal or decimal)

       --dstkey, --orig-key-dst KEY
              Destination key in original direction (in hexadecimal or decimal)

       --reply-key-src KEY
              Source key in reply direction (in hexadecimal or decimal)

       --reply-key-dst KEY
              Destination key in reply direction (in hexadecimal or decimal)

       DIAGNOSTICS
              The exit code is 0 for correct function.  Errors which appear to be caused by invalid command line
              parameters cause an exit code of 2.  Any other errors cause an exit code of 1.

EXAMPLES

       conntrack -L
              Show the connection tracking table in /proc/net/ip_conntrack format

       conntrack -L -o extended
              Show the connection tracking table in /proc/net/nf_conntrack format

       conntrack -L -o xml
              Show the connection tracking table in XML

       conntrack -L -f ipv6 -o extended
              Only dump IPv6 connections in /proc/net/nf_conntrack format

       conntrack -L --src-nat
              Show source NAT connections

       conntrack -E -o timestamp
              Show connection events together with the timestamp

       conntrack -D -s 1.2.3.4
              Delete all flow whose source address is 1.2.3.4

       conntrack -U -s 1.2.3.4 -m 1
              Set connmark to 1 of all the flows whose source address is 1.2.3.4

BUGS

       Please,   report   them  to  netfilter-devel@vger.kernel.org  or  file  a  bug  in  Netfilter's  bugzilla
       (https://bugzilla.netfilter.org).

SEE ALSO

       iptables(8)
       See http://conntrack-tools.netfilter.org

AUTHORS

       Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira  Ayuso  wrote  the  kernel-level  "ctnetlink"
       interface that is used by the conntrack tool.

       Pablo  Neira  Ayuso wrote and maintain the conntrack tool, Harald Welte added support for conntrack based
       accounting counters.

       Man page written by Harald Welte <laforge@netfilter.org> and Pablo Neira Ayuso <pablo@netfilter.org>.

                                                  Aug 24, 2015                                      CONNTRACK(8)