summaryrefslogtreecommitdiff
path: root/conntrack.8
diff options
context:
space:
mode:
Diffstat (limited to 'conntrack.8')
-rw-r--r--conntrack.825
1 files changed, 20 insertions, 5 deletions
diff --git a/conntrack.8 b/conntrack.8
index 0e7c410..6525123 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -1,4 +1,4 @@
-.TH CONNTRACK 8 "Apr 11, 2009" "" ""
+.TH CONNTRACK 8 "Jul 5, 2010" "" ""
.\" Man page written by Harald Welte <laforge@netfilter.org (Jun 2005)
.\" Maintained by Pablo Neira Ayuso <pablo@netfilter.org (May 2007)
@@ -88,8 +88,11 @@ Show the in-kernel connection tracking system statistics.
Atomically zero counters after reading them. This option is only valid in
combination with the "-L, --dump" command options.
.TP
-.BI "-o, --output [extended,xml,timestamp,id] "
-Display output in a certain format.
+.BI "-o, --output [extended,xml,timestamp,id,ktimestamp] "
+Display output in a certain format. With the extended output option, this tool
+displays the layer 3 information. With ktimestamp, it displays the in-kernel
+timestamp available since 2.6.38 (you can enable it via echo 1 >
+/proc/sys/net/netfilter/nf_conntrack_timestamp).
.TP
.BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]"
Set the bitmask of events that are to be generated by the in-kernel ctnetlink
@@ -97,6 +100,7 @@ event code. Using this parameter, you can reduce the event messages generated
by the kernel to those types to those that you are actually interested in.
.
This option can only be used in conjunction with "-E, --event".
+.TP
.BI "-b, --buffer-size " "value (in bytes)"
Set the Netlink socket buffer size. This option is useful if the command line
tool reports ENOBUFS errors. If you do not pass this option, the default value
@@ -130,8 +134,13 @@ This option is only required in conjunction with "-L, --dump". If this option is
.TP
.BI "-t, --timeout " "TIMEOUT"
Specify the timeout.
-.BI "-m, --mark " "MARK"
-Specify the conntrack mark.
+.TP
+.BI "-m, --mark " "MARK[/MASK]"
+Specify the conntrack mark. Optionally, a mask value can be specified.
+In "--update" mode, this mask specifies the bits that should be zeroed before XORing
+the MARK value into the ctmark.
+Otherwise, the mask is logically ANDed with the existing mark before the comparision.
+In "--create" mode, the mask is ignored.
.TP
.BI "-c, --secmark " "SECMARK"
Specify the conntrack selinux security mark.
@@ -145,6 +154,12 @@ Filter source NAT connections.
.BI "-g, --dst-nat "
Filter destination NAT connections.
.TP
+.BI "-j, --any-nat "
+Filter any NAT connections.
+.TP
+.BI "-w, --zone "
+Filter by conntrack zone. See iptables CT target for more information.
+.TP
.BI "--tuple-src " IP_ADDRESS
Specify the tuple source address of an expectation.
.TP
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-12 21:10:09 +0000