summaryrefslogtreecommitdiff
path: root/cli/conntrack.8
diff options
context:
space:
mode:
author/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org </C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org>2007-04-16 17:55:00 +0000
committer/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org </C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org>2007-04-16 17:55:00 +0000
commitad31f852c3454136bdbfeb7f222cb9c175f13c1c (patch)
tree67bbd2dbec77205ccfd2c950b8cbeefe65f2c67e /cli/conntrack.8
parent13e6cab49dc2716c3e58eda12eed2fbab24be59b (diff)
downloadconntrack-tools-ad31f852c3454136bdbfeb7f222cb9c175f13c1c.tar.gz
conntrack-tools-ad31f852c3454136bdbfeb7f222cb9c175f13c1c.zip
initial import of the conntrack daemon to Netfilter SVN
Diffstat (limited to 'cli/conntrack.8')
-rw-r--r--cli/conntrack.8142
1 files changed, 142 insertions, 0 deletions
diff --git a/cli/conntrack.8 b/cli/conntrack.8
new file mode 100644
index 0000000..307180b
--- /dev/null
+++ b/cli/conntrack.8
@@ -0,0 +1,142 @@
+.TH CONNTRACK 8 "Jun 23, 2005" "" ""
+
+.\" Man page written by Harald Welte <laforge@netfilter.org (Jun 2005)
+
+.SH NAME
+conntrack \- administration tool for netfilter connection tracking
+.SH SYNOPSIS
+.BR "conntrack -L [table] [-z]"
+.br
+.BR "conntrack -G [table] parameters"
+.br
+.BR "conntrack -D [table] paramaters"
+.br
+.BR "conntrack -I [table] parameters"
+.br
+.BR "conntrack -E [table] parameters"
+.br
+.BR "conntrack -F [table]"
+.SH DESCRIPTION
+.B conntrack
+is used to search, list, inspect and maintain the netfilter connection tracking
+subsystem of the Linux kernel.
+.PP
+Using
+.B conntrack
+, you can dump a list of all (or a filtered selection of) currently tracked
+connections, delete connections from the state table, and even add new ones.
+.PP
+In addition, you can also monitor connection tracking events, e.g. show an
+event message (one line) per newly established connection.
+.SH TABLES
+The connection tracking subsystem maintains two internal tables:
+.TP
+.BR "conntrack" :
+This is the default table. It contains a list of all currently tracked
+connections through the system. If you don't use connection tracking
+exemptions (NOTRACK iptables target), this means all connections that go
+through the system.
+.TP
+.BR "expect" :
+This is the table of expectations. Connection tracking expectations are the
+mechanism used to "expect" RELATED connections to existing ones. Expectations
+are generally used by "connection tracking helpers" (sometimes called
+application level gateways [ALGs]) for more complex protocols such as FTP,
+SIP, H.323.
+.SH OPTIONS
+The options recognized by
+.B conntrack
+can be divided into several different groups.
+.SS COMMANDS
+These options specify the particular operation to perform. Only one of them
+can be specified at any given time.
+.TP
+.BI "-L --dump "
+List connection tacking or expectation table
+.TP
+.BI "-G, --get "
+Search for and show a particular (matching) entry in the given table.
+.TP
+.BI "-D, --delete "
+Delete an entry from the given table.
+.TP
+.BI "-I, --create "
+Create a new entry from the given table.
+.TP
+.BI "-E, --event "
+Display a real-time event log.
+.TP
+.BI "-F, --flush "
+Flush the whole given table
+.SS PARAMETERS
+.TP
+.BI "-z, --zero "
+Atomically zero counters after reading them. This option is only valid in
+combination with the "-L, --dump" command options.
+.TP
+.BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]"
+Set the bitmask of events that are to be generated by the in-kernel ctnetlink
+event code. Using this parameter, you can reduce the event messages generated
+by the kernel to those types to those that you are actually interested in.
+.
+This option can only be used in conjunction with "-E, --event".
+.SS FILTER PARAMETERS
+.TP
+.BI "-s, --orig-src " IP_ADDRESS
+Match only entries whose source address in the original direction equals the one specified as argument.
+.TP
+.BI "-d, --orig-dst " IP_ADDRESS
+Match only entries whose destination address in the original direction equals the one specified as argument.
+.TP
+.BI "-r, --reply-src " IP_ADDRESS
+Match only entries whose source address in the reply direction equals the one specified as argument.
+.TP
+.BI "-q, --reply-dst " IP_ADDRESS
+Match only entries whose destination address in the reply direction equals the one specified as argument.
+.TP
+.BI "-p, --proto " "PROTO "
+Specify layer four (TCP, UDP, ...) protocol.
+.TP
+.BI "-f, --family " "PROTO"
+Specify layer three (ipv4, ipv6) protocol
+This option is only required in conjunction with "-L, --dump". If this option is not passed, the default layer 3 protocol will be IPv4.
+.TP
+.BI "-t, --timeout " "TIMEOUT"
+Specify the timeout.
+.TP
+.BI "-u, --status " "[ASSURED|SEEN_REPLY|UNSET|SRC_NAT|DST_NAT][,...]"
+Specify the conntrack status.
+.TP
+.BI "-i, --id " "ID"
+Specify the conntrack ID.
+.
+This option can only be used in conjunction with "-L, --dump" to display the conntrack IDs.
+.TP
+.BI "--tuple-src " IP_ADDRESS
+Specify the tuple source address of an expectation.
+.TP
+.BI "--tuple-dst " IP_ADDRESS
+Specify the tuple destination address of an expectation.
+.TP
+.BI "--mask-src " IP_ADDRESS
+Specify the source address mask of an expectation.
+.TP
+.BI "--mask-dst " IP_ADDRESS
+Specify the destination address mask of an expectation.
+.SH DIAGNOSTICS
+The exit code is 0 for correct function. Errors which appear to be caused by
+invalid command line parameters cause an exit code of 2. Any other errors
+cause an exit code of 1.
+.SH BUGS
+Bugs? What's this ;-)
+.SH SEE ALSO
+.BR iptables (8)
+.br
+See
+.BR "http://netfilter.org/" .
+.SH AUTHORS
+Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira wrote the kernel-level "ctnetlink" interface that is used by the conntrack tool.
+.PP
+Pablo Neira wrote the conntrack tool, Harald Welte added support for conntrack based accounting counters.
+.PP
+Man page written by Harald Welte <laforge@netfilter.org>.