diff options
author | /C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org </C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org> | 2007-04-16 17:55:00 +0000 |
---|---|---|
committer | /C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org </C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org> | 2007-04-16 17:55:00 +0000 |
commit | ad31f852c3454136bdbfeb7f222cb9c175f13c1c (patch) | |
tree | 67bbd2dbec77205ccfd2c950b8cbeefe65f2c67e /cli/conntrack.8 | |
parent | 13e6cab49dc2716c3e58eda12eed2fbab24be59b (diff) | |
download | conntrack-tools-ad31f852c3454136bdbfeb7f222cb9c175f13c1c.tar.gz conntrack-tools-ad31f852c3454136bdbfeb7f222cb9c175f13c1c.zip |
initial import of the conntrack daemon to Netfilter SVN
Diffstat (limited to 'cli/conntrack.8')
-rw-r--r-- | cli/conntrack.8 | 142 |
1 files changed, 142 insertions, 0 deletions
diff --git a/cli/conntrack.8 b/cli/conntrack.8 new file mode 100644 index 0000000..307180b --- /dev/null +++ b/cli/conntrack.8 @@ -0,0 +1,142 @@ +.TH CONNTRACK 8 "Jun 23, 2005" "" "" + +.\" Man page written by Harald Welte <laforge@netfilter.org (Jun 2005) + +.SH NAME +conntrack \- administration tool for netfilter connection tracking +.SH SYNOPSIS +.BR "conntrack -L [table] [-z]" +.br +.BR "conntrack -G [table] parameters" +.br +.BR "conntrack -D [table] paramaters" +.br +.BR "conntrack -I [table] parameters" +.br +.BR "conntrack -E [table] parameters" +.br +.BR "conntrack -F [table]" +.SH DESCRIPTION +.B conntrack +is used to search, list, inspect and maintain the netfilter connection tracking +subsystem of the Linux kernel. +.PP +Using +.B conntrack +, you can dump a list of all (or a filtered selection of) currently tracked +connections, delete connections from the state table, and even add new ones. +.PP +In addition, you can also monitor connection tracking events, e.g. show an +event message (one line) per newly established connection. +.SH TABLES +The connection tracking subsystem maintains two internal tables: +.TP +.BR "conntrack" : +This is the default table. It contains a list of all currently tracked +connections through the system. If you don't use connection tracking +exemptions (NOTRACK iptables target), this means all connections that go +through the system. +.TP +.BR "expect" : +This is the table of expectations. Connection tracking expectations are the +mechanism used to "expect" RELATED connections to existing ones. Expectations +are generally used by "connection tracking helpers" (sometimes called +application level gateways [ALGs]) for more complex protocols such as FTP, +SIP, H.323. +.SH OPTIONS +The options recognized by +.B conntrack +can be divided into several different groups. +.SS COMMANDS +These options specify the particular operation to perform. Only one of them +can be specified at any given time. +.TP +.BI "-L --dump " +List connection tacking or expectation table +.TP +.BI "-G, --get " +Search for and show a particular (matching) entry in the given table. +.TP +.BI "-D, --delete " +Delete an entry from the given table. +.TP +.BI "-I, --create " +Create a new entry from the given table. +.TP +.BI "-E, --event " +Display a real-time event log. +.TP +.BI "-F, --flush " +Flush the whole given table +.SS PARAMETERS +.TP +.BI "-z, --zero " +Atomically zero counters after reading them. This option is only valid in +combination with the "-L, --dump" command options. +.TP +.BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]" +Set the bitmask of events that are to be generated by the in-kernel ctnetlink +event code. Using this parameter, you can reduce the event messages generated +by the kernel to those types to those that you are actually interested in. +. +This option can only be used in conjunction with "-E, --event". +.SS FILTER PARAMETERS +.TP +.BI "-s, --orig-src " IP_ADDRESS +Match only entries whose source address in the original direction equals the one specified as argument. +.TP +.BI "-d, --orig-dst " IP_ADDRESS +Match only entries whose destination address in the original direction equals the one specified as argument. +.TP +.BI "-r, --reply-src " IP_ADDRESS +Match only entries whose source address in the reply direction equals the one specified as argument. +.TP +.BI "-q, --reply-dst " IP_ADDRESS +Match only entries whose destination address in the reply direction equals the one specified as argument. +.TP +.BI "-p, --proto " "PROTO " +Specify layer four (TCP, UDP, ...) protocol. +.TP +.BI "-f, --family " "PROTO" +Specify layer three (ipv4, ipv6) protocol +This option is only required in conjunction with "-L, --dump". If this option is not passed, the default layer 3 protocol will be IPv4. +.TP +.BI "-t, --timeout " "TIMEOUT" +Specify the timeout. +.TP +.BI "-u, --status " "[ASSURED|SEEN_REPLY|UNSET|SRC_NAT|DST_NAT][,...]" +Specify the conntrack status. +.TP +.BI "-i, --id " "ID" +Specify the conntrack ID. +. +This option can only be used in conjunction with "-L, --dump" to display the conntrack IDs. +.TP +.BI "--tuple-src " IP_ADDRESS +Specify the tuple source address of an expectation. +.TP +.BI "--tuple-dst " IP_ADDRESS +Specify the tuple destination address of an expectation. +.TP +.BI "--mask-src " IP_ADDRESS +Specify the source address mask of an expectation. +.TP +.BI "--mask-dst " IP_ADDRESS +Specify the destination address mask of an expectation. +.SH DIAGNOSTICS +The exit code is 0 for correct function. Errors which appear to be caused by +invalid command line parameters cause an exit code of 2. Any other errors +cause an exit code of 1. +.SH BUGS +Bugs? What's this ;-) +.SH SEE ALSO +.BR iptables (8) +.br +See +.BR "http://netfilter.org/" . +.SH AUTHORS +Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira wrote the kernel-level "ctnetlink" interface that is used by the conntrack tool. +.PP +Pablo Neira wrote the conntrack tool, Harald Welte added support for conntrack based accounting counters. +.PP +Man page written by Harald Welte <laforge@netfilter.org>. |