oracular (8) conntrack.8.gz

Provided by: conntrack_1.4.8-2_amd64 bug

NAME

       conntrack - command line interface for netfilter connection tracking

SYNOPSIS

       conntrack -L [table] [options] [-z]
       conntrack -G [table] parameters
       conntrack -D [table] parameters
       conntrack -I [table] parameters
       conntrack -A [table] parameters
       conntrack -U [table] parameters
       conntrack -E [table] [options]
       conntrack -F [table]
       conntrack -C [table]
       conntrack -S
       conntrack -R file

DESCRIPTION

       The  conntrack  utility  provides  a  full-featured  userspace  interface to the Netfilter
       connection tracking system that is intended  to  replace  the  old  /proc/net/ip_conntrack
       interface.  This  tool  can  be  used to search, list, inspect and maintain the connection
       tracking subsystem of the Linux kernel.

       Using conntrack, you can dump a list of all (or a filtered selection of) currently tracked
       connections, delete connections from the state table, and even add new ones.

       In  addition,  you can also monitor connection tracking events, e.g. show an event message
       (one line) per newly established connection.

TABLES

       The connection tracking subsystem maintains several internal tables:

       conntrack:
              This is the default table.  It contains a list of all currently tracked connections
              through  the  system.   If  you  don't  use connection tracking exemptions (NOTRACK
              iptables target), this means all connections that go through the system.

       expect:
              This is the table  of  expectations.   Connection  tracking  expectations  are  the
              mechanism  used to "expect" RELATED connections to existing ones.  Expectations are
              generally used by "connection tracking helpers" (sometimes called application level
              gateways [ALGs]) for more complex protocols such as FTP, SIP or H.323.

       dying: This  table  shows  the  conntrack  entries,  that  have expired and that have been
              destroyed by the connection tracking system itself, or via the conntrack utility.

       unconfirmed:
              This table shows new entries, that are not yet inserted into the  conntrack  table.
              These  entries  are  attached to packets that are traversing the stack, but did not
              reach the confirmation point at the postrouting hook.

              The tables "dying" and  "unconfirmed"  are  basically  only  useful  for  debugging
              purposes.  Under normal operation, it is hard to see entries in any of them.  There
              are corner cases, where it is valid to see entries in the  unconfirmed  table,  eg.
              when  packets  that  are  enqueued  via  nfqueue,  and  the  dying  table, eg. when
              conntrackd(8) runs in event reliable mode.

OPTIONS

       The options recognized by conntrack can be divided into several different groups.

   COMMANDS
       These options specify the particular operation to  perform.   Only  one  of  them  can  be
       specified at any given time.

       -L --dump
              List connection tracking or expectation table

       -G, --get
              Search for and show a particular (matching) entry in the given table.

       -D, --delete
              Delete an entry from the given table.

       -I, --create
              Create a new entry from the given table, it fails if it already exists.

       -A, --add
              Add a new entry from the given table.

       -U, --update
              Update an entry from the given table.

       -E, --event
              Display a real-time event log.

       -F, --flush
              Flush the whole given table

       -C, --count
              Show the table counter.

       -S, --stats
              Show the in-kernel connection tracking system statistics.

       -R, --load-file
              Load entries from a given file. To read from stdin, "-" should be specified.

   PARAMETERS
       -z, --zero
              Atomically  zero  counters  after  reading  them.   This  option  is  only valid in
              combination with the "-L, --dump" command options.

       -o, --output [extended,xml,save,timestamp,id,ktimestamp,labels]
              Display output in a certain format. With the  extended  output  option,  this  tool
              displays  the  layer  3  information.  With  ktimestamp,  it displays the in-kernel
              timestamp available  since  2.6.38  (you  can  enable  it  via  the  sysctl(8)  key
              net.netfilter.nf_conntrack_timestamp).  The labels output option tells conntrack to
              show the names of connection tracking labels that might be present.  The  userspace
              output option tells if the event has been triggered by a process.

       -e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]
              Set the bitmask of events that are to be generated by the in-kernel ctnetlink event
              code.  Using this parameter, you can reduce the event  messages  generated  by  the
              kernel  to  the types that you are actually interested in.  This option can only be
              used in conjunction with "-E, --event".

       -b, --buffer-size value
              Set the Netlink socket buffer size in bytes. This option is useful if  the  command
              line tool reports ENOBUFS errors. If you do not pass this option, the default value
              available at sysctl(8) key net.core.rmem_default is used.  The  tool  reports  this
              problem  if  your process is too slow to handle all the event messages or, in other
              words, if the amount of events is big enough to overrun  the  socket  buffer.  Note
              that  using  a big buffer reduces the chances to hit ENOBUFS, however, this results
              in more memory consumption.  This option can only be used in conjunction with  "-E,
              --event".

   FILTER PARAMETERS
       -s, --src, --orig-src IP_ADDRESS
              Match  only  entries  whose source address in the original direction equals the one
              specified as argument. Implies "--mask-src" when CIDR notation is used.

       -d, --dst, --orig-dst IP_ADDRESS
              Match only entries whose destination address in the original direction  equals  the
              one specified as argument. Implies "--mask-dst" when CIDR notation is used.

       -r, --reply-src IP_ADDRESS
              Match  only  entries  whose  source  address  in the reply direction equals the one
              specified as argument.

       -q, --reply-dst IP_ADDRESS
              Match only entries whose destination address in the reply direction equals the  one
              specified as argument.

       -p, --proto PROTO
              Specify layer four (TCP, UDP, ...) protocol.

       -f, --family PROTO
              Specify  layer  three  (ipv4,  ipv6)  protocol.   This  option  is only required in
              conjunction with "-L, --dump". If this option is not passed, the  default  layer  3
              protocol will be IPv4.

       -t, --timeout TIMEOUT
              Specify the timeout.

       -m, --mark MARK[/MASK]
              Specify  the  conntrack  mark.   Optionally,  a  mask  value  can be specified.  In
              "--update" mode, this mask specifies the bits that should be zeroed  before  XORing
              the  MARK  value  into the ctmark.  Otherwise, the mask is logically ANDed with the
              existing mark before the comparison. In "--create" mode, the mask is ignored.

       -l, --label LABEL
              Specify a conntrack label.  This option is only available in conjunction with  "-L,
              --dump", "-E, --event", "-U --update" or "-D --delete".  Match entries whose labels
              include those specified as arguments.  Use multiple -l options to specify  multiple
              labels that need to be set.

       --label-add LABEL
              Specify the conntrack label to add to the selected conntracks.  This option is only
              available in conjunction with "-I, --create", "-A, --add" or "-U, --update".

       --label-del [LABEL]
              Specify the conntrack label to delete from the selected conntracks.  If no label is
              given,  all  labels are deleted.  This option is only available in conjunction with
              "-U, --update".

       -c, --secmark SECMARK
              Specify the conntrack selinux security mark.

       -u, --status [ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|OFFLOAD|UNSET][,...]
              Specify the conntrack status.

       -n, --src-nat
              Filter source NAT connections.

       -g, --dst-nat
              Filter destination NAT connections.

       -j, --any-nat
              Filter any NAT connections.

       -w, --zone
              Filter by conntrack zone. See iptables CT target for more information.

       --orig-zone
              Filter by conntrack zone in original direction.  See iptables CT  target  for  more
              information.

       --reply-zone
              Filter  by  conntrack  zone  in  reply  direction.  See iptables CT target for more
              information.

       --tuple-src IP_ADDRESS
              Specify the tuple source address of an expectation.  Implies "--mask-src" when CIDR
              notation is used.

       --tuple-dst IP_ADDRESS
              Specify the tuple destination address of an expectation.  Implies "--mask-dst" when
              CIDR notation is used.

       --mask-src IP_ADDRESS
              Specify the source address mask.  For conntracks this option is only  available  in
              conjunction  with "-L, --dump", "-E, --event", "-U --update" or "-D --delete".  For
              expectations this option is only available in conjunction with "-I, --create".

       --mask-dst IP_ADDRESS
              Specify the destination address mask.  Same limitations as for "--mask-src".

   PROTOCOL FILTER PARAMETERS
       TCP-specific fields:

       --sport, --orig-port-src PORT
              Source port in original direction

       --dport, --orig-port-dst PORT
              Destination port in original direction

       --reply-port-src PORT
              Source port in reply direction

       --reply-port-dst PORT
              Destination port in reply direction

       --state state
              TCP state, one of NONE,  SYN_SENT,  SYN_RECV,  ESTABLISHED,  FIN_WAIT,  CLOSE_WAIT,
              LAST_ACK, TIME_WAIT, CLOSE or LISTEN.

       UDP-specific fields:

       --sport, --orig-port-src PORT
              Source port in original direction

       --dport, --orig-port-dst PORT
              Destination port in original direction

       --reply-port-src PORT
              Source port in reply direction

       --reply-port-dst PORT
              Destination port in reply direction

       ICMP-specific fields:

       --icmp-type TYPE
              ICMP Type. Has to be specified numerically.

       --icmp-code CODE
              ICMP Code. Has to be specified numerically.

       --icmp-id ID
              ICMP Id. Has to be specified numerically (non-mandatory)

       UDPlite-specific fields:

       --sport, --orig-port-src PORT
              Source port in original direction

       --dport, --orig-port-dst PORT
              Destination port in original direction

       --reply-port-src PORT
              Source port in reply direction

       --reply-port-dst PORT
              Destination port in reply direction

       SCTP-specific fields:

       --sport, --orig-port-src PORT
              Source port in original direction

       --dport, --orig-port-dst PORT
              Destination port in original direction

       --reply-port-src PORT
              Source port in reply direction

       --reply-port-dst PORT
              Destination port in reply direction

       --state state
              SCTP   state,   one  of  NONE,  CLOSED,  COOKIE_WAIT,  COOKIE_ECHOED,  ESTABLISHED,
              SHUTDOWN_SENT, SHUTDOWN_RECD, SHUTDOWN_ACK_SENT.

       --orig-vtag value
              Verification tag (32-bits value) in the original direction

       --reply-vtag value
              Verification tag (32-bits value) in the reply direction

       DCCP-specific fields (needs Linux >= 2.6.30):

       --sport, --orig-port-src PORT
              Source port in original direction

       --dport, --orig-port-dst PORT
              Destination port in original direction

       --reply-port-src PORT
              Source port in reply direction

       --reply-port-dst PORT
              Destination port in reply direction

       --state state
              DCCP state, one of NONE,  REQUEST,  RESPOND,  PARTOPEN,  OPEN,  CLOSEREQ,  CLOSING,
              TIMEWAIT.

       --role [client|server]
              Role that the original conntrack tuple is tracking

       GRE-specific fields:

       --srckey, --orig-key-src KEY
              Source key in original direction (in hexadecimal or decimal)

       --dstkey, --orig-key-dst KEY
              Destination key in original direction (in hexadecimal or decimal)

       --reply-key-src KEY
              Source key in reply direction (in hexadecimal or decimal)

       --reply-key-dst KEY
              Destination key in reply direction (in hexadecimal or decimal)

DIAGNOSTICS

       The  exit  code  is  0  for correct function.  Errors which appear to be caused by invalid
       command line parameters cause an exit code of 2.  Any other errors cause an exit  code  of
       1.

EXAMPLES

       conntrack -L
              Show the connection tracking table in /proc/net/ip_conntrack format

       conntrack -L -o extended
              Show   the   connection  tracking  table  in  /proc/net/nf_conntrack  format,  with
              additional information.

       conntrack -L -o xml
              Show the connection tracking table in XML

       conntrack -L -o save
              Show the connection tracking table in conntrack syntax format

       conntrack -L -f ipv6 -o extended
              Only dump  IPv6  connections  in  /proc/net/nf_conntrack  format,  with  additional
              information.

       conntrack -L --src-nat
              Show source NAT connections

       conntrack -E -o timestamp
              Show connection events together with the timestamp

       conntrack -D -s 1.2.3.4
              Delete all flows whose source address is 1.2.3.4

       conntrack -U -s 1.2.3.4 -m 1
              Set connmark to 1 of all the flows whose source address is 1.2.3.4

       conntrack -L -w 11 -o save | sed s/-w 11/-w 12/g | conntrack --load-file -
              Copy all entries from ct zone 11 to ct zone 12

BUGS

       Please,  report  them  to  netfilter-devel@vger.kernel.org  or  file  a bug in Netfilter's
       bugzilla (https://bugzilla.netfilter.org).

SEE ALSO

       nftables(8),iptables(8),conntrackd(8)
       See http://conntrack-tools.netfilter.org

AUTHORS

       Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote  the  kernel-level
       "ctnetlink" interface that is used by the conntrack tool.

       Pablo  Neira  Ayuso wrote and maintains the conntrack tool, Harald Welte added support for
       conntrack-based accounting counters.

       Man  page  written  by  Harald  Welte  <laforge@netfilter.org>  and  Pablo   Neira   Ayuso
       <pablo@netfilter.org>.

                                           Aug 9, 2019                               CONNTRACK(8)