summaryrefslogtreecommitdiff
path: root/conntrack.8
diff options
context:
space:
mode:
Diffstat (limited to 'conntrack.8')
-rw-r--r--conntrack.8315
1 files changed, 315 insertions, 0 deletions
diff --git a/conntrack.8 b/conntrack.8
new file mode 100644
index 0000000..0e7c410
--- /dev/null
+++ b/conntrack.8
@@ -0,0 +1,315 @@
+.TH CONNTRACK 8 "Apr 11, 2009" "" ""
+
+.\" Man page written by Harald Welte <laforge@netfilter.org (Jun 2005)
+.\" Maintained by Pablo Neira Ayuso <pablo@netfilter.org (May 2007)
+
+.SH NAME
+conntrack \- command line interface for netfilter connection tracking
+.SH SYNOPSIS
+.BR "conntrack -L [table] [-z]"
+.br
+.BR "conntrack -G [table] parameters"
+.br
+.BR "conntrack -D [table] paramaters"
+.br
+.BR "conntrack -I [table] parameters"
+.br
+.BR "conntrack -U [table] parameters"
+.br
+.BR "conntrack -E [table] parameters"
+.br
+.BR "conntrack -F [table]"
+.br
+.BR "conntrack -C [table]"
+.br
+.BR "conntrack -S "
+.SH DESCRIPTION
+.B conntrack
+provides a full featured userspace interface to the netfilter connection tracking system that is intended to replace the old /proc/net/ip_conntrack interface. This tool can be used to search, list, inspect and maintain the connection tracking subsystem of the Linux kernel.
+Using
+.B conntrack
+, you can dump a list of all (or a filtered selection of) currently tracked
+connections, delete connections from the state table, and even add new ones.
+.PP
+In addition, you can also monitor connection tracking events, e.g. show an
+event message (one line) per newly established connection.
+.SH TABLES
+The connection tracking subsystem maintains two internal tables:
+.TP
+.BR "conntrack" :
+This is the default table. It contains a list of all currently tracked
+connections through the system. If you don't use connection tracking
+exemptions (NOTRACK iptables target), this means all connections that go
+through the system.
+.TP
+.BR "expect" :
+This is the table of expectations. Connection tracking expectations are the
+mechanism used to "expect" RELATED connections to existing ones. Expectations
+are generally used by "connection tracking helpers" (sometimes called
+application level gateways [ALGs]) for more complex protocols such as FTP,
+SIP, H.323.
+.SH OPTIONS
+The options recognized by
+.B conntrack
+can be divided into several different groups.
+.SS COMMANDS
+These options specify the particular operation to perform. Only one of them
+can be specified at any given time.
+.TP
+.BI "-L --dump "
+List connection tracking or expectation table
+.TP
+.BI "-G, --get "
+Search for and show a particular (matching) entry in the given table.
+.TP
+.BI "-D, --delete "
+Delete an entry from the given table.
+.TP
+.BI "-I, --create "
+Create a new entry from the given table.
+.TP
+.BI "-U, --update "
+Update an entry from the given table.
+.TP
+.BI "-E, --event "
+Display a real-time event log.
+.TP
+.BI "-F, --flush "
+Flush the whole given table
+.TP
+.BI "-C, --count "
+Show the table counter.
+.TP
+.BI "-S, --stats "
+Show the in-kernel connection tracking system statistics.
+.SS PARAMETERS
+.TP
+.BI "-z, --zero "
+Atomically zero counters after reading them. This option is only valid in
+combination with the "-L, --dump" command options.
+.TP
+.BI "-o, --output [extended,xml,timestamp,id] "
+Display output in a certain format.
+.TP
+.BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]"
+Set the bitmask of events that are to be generated by the in-kernel ctnetlink
+event code. Using this parameter, you can reduce the event messages generated
+by the kernel to those types to those that you are actually interested in.
+.
+This option can only be used in conjunction with "-E, --event".
+.BI "-b, --buffer-size " "value (in bytes)"
+Set the Netlink socket buffer size. This option is useful if the command line
+tool reports ENOBUFS errors. If you do not pass this option, the default value
+available at /proc/sys/net/core/rmem_default is used. The tool reports this
+problem if your process is too slow to handle all the event messages or, in
+other words, if the amount of events are big enough to overrun the socket
+buffer. Note that using a big buffer reduces the chances to hit ENOBUFS,
+however, this results in more memory consumption.
+.
+This option can only be used in conjunction with "-E, --event".
+.SS FILTER PARAMETERS
+.TP
+.BI "-s, --orig-src " IP_ADDRESS
+Match only entries whose source address in the original direction equals the one specified as argument.
+.TP
+.BI "-d, --orig-dst " IP_ADDRESS
+Match only entries whose destination address in the original direction equals the one specified as argument.
+.TP
+.BI "-r, --reply-src " IP_ADDRESS
+Match only entries whose source address in the reply direction equals the one specified as argument.
+.TP
+.BI "-q, --reply-dst " IP_ADDRESS
+Match only entries whose destination address in the reply direction equals the one specified as argument.
+.TP
+.BI "-p, --proto " "PROTO "
+Specify layer four (TCP, UDP, ...) protocol.
+.TP
+.BI "-f, --family " "PROTO"
+Specify layer three (ipv4, ipv6) protocol
+This option is only required in conjunction with "-L, --dump". If this option is not passed, the default layer 3 protocol will be IPv4.
+.TP
+.BI "-t, --timeout " "TIMEOUT"
+Specify the timeout.
+.BI "-m, --mark " "MARK"
+Specify the conntrack mark.
+.TP
+.BI "-c, --secmark " "SECMARK"
+Specify the conntrack selinux security mark.
+.TP
+.BI "-u, --status " "[ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|UNSET][,...]"
+Specify the conntrack status.
+.TP
+.BI "-n, --src-nat "
+Filter source NAT connections.
+.TP
+.BI "-g, --dst-nat "
+Filter destination NAT connections.
+.TP
+.BI "--tuple-src " IP_ADDRESS
+Specify the tuple source address of an expectation.
+.TP
+.BI "--tuple-dst " IP_ADDRESS
+Specify the tuple destination address of an expectation.
+.TP
+.BI "--mask-src " IP_ADDRESS
+Specify the source address mask of an expectation.
+.TP
+.BI "--mask-dst " IP_ADDRESS
+Specify the destination address mask of an expectation.
+.SS PROTOCOL FILTER PARAMETERS
+.TP
+TCP-specific fields:
+.TP
+.BI "--sport, --orig-port-src " "PORT"
+Source port in original direction
+.TP
+.BI "--dport, --orig-port-dst " "PORT"
+Destination port in original direction
+.TP
+.BI "--reply-port-src " "PORT"
+Source port in reply direction
+.TP
+.BI "--reply-port-dst " "PORT"
+Destination port in reply direction
+.TP
+.BI "--state " "[NONE | SYN_SENT | SYN_RECV | ESTABLISHED | FIN_WAIT | CLOSE_WAIT | LAST_ACK | TIME_WAIT | CLOSE | LISTEN]"
+TCP state
+.TP
+UDP-specific fields:
+.TP
+.BI "--sport, --orig-port-src " "PORT"
+Source port in original direction
+.TP
+.BI "--dport, --orig-port-dst " "PORT"
+Destination port in original direction
+.TP
+.BI "--reply-port-src " "PORT"
+Source port in reply direction
+.TP
+.BI "--reply-port-dst " "PORT"
+Destination port in reply direction
+.TP
+ICMP-specific fields:
+.TP
+.BI "--icmp-type " "TYPE"
+ICMP Type. Has to be specified numerically.
+.TP
+.BI "--icmp-code " "CODE"
+ICMP Code. Has to be specified numerically.
+.TP
+.BI "--icmp-id " "ID"
+ICMP Id. Has to be specified numerically (non-mandatory)
+.TP
+UDPlite-specific fields:
+.TP
+.BI "--sport, --orig-port-src " "PORT"
+Source port in original direction
+.TP
+.BI "--dport, --orig-port-dst " "PORT"
+Destination port in original direction
+.TP
+.BI "--reply-port-src " "PORT"
+Source port in reply direction
+.TP
+.BI "--reply-port-dst " "PORT"
+Destination port in reply direction
+.TP
+SCTP-specific fields:
+.TP
+.BI "--sport, --orig-port-src " "PORT"
+Source port in original direction
+.TP
+.BI "--dport, --orig-port-dst " "PORT"
+Destination port in original direction
+.TP
+.BI "--reply-port-src " "PORT"
+Source port in reply direction
+.TP
+.BI "--reply-port-dst " "PORT"
+Destination port in reply direction
+.TP
+.BI "--state " "[NONE | CLOSED | COOKIE_WAIT | COOKIE_ECHOED | ESTABLISHED | SHUTDOWN_SENT | SHUTDOWN_RECD | SHUTDOWN_ACK_SENT]"
+SCTP state
+.TP
+.BI "--orig-vtag " "value"
+Verification tag (32-bits value) in the original direction
+.TP
+.BI "--reply-vtag " "value"
+Verification tag (32-bits value) in the reply direction
+.TP
+DCCP-specific fields (needs Linux >= 2.6.30):
+.TP
+.BI "--sport, --orig-port-src " "PORT"
+Source port in original direction
+.TP
+.BI "--dport, --orig-port-dst " "PORT"
+Destination port in original direction
+.TP
+.BI "--reply-port-src " "PORT"
+Source port in reply direction
+.TP
+.BI "--reply-port-dst " "PORT"
+Destination port in reply direction
+.TP
+.BI "--state " "[NONE | REQUEST | RESPOND | PARTOPEN | OPEN | CLOSEREQ | CLOSING | TIMEWAIT]"
+DCCP state
+.BI "--role " "[client | server]"
+Role that the original conntrack tuple is tracking
+.TP
+GRE-specific fields:
+.TP
+.BI "--srckey, --orig-key-src " "KEY"
+Source key in original direction (in hexadecimal or decimal)
+.TP
+.BI "--dstkey, --orig-key-dst " "KEY"
+Destination key in original direction (in hexadecimal or decimal)
+.TP
+.BI "--reply-key-src " "KEY"
+Source key in reply direction (in hexadecimal or decimal)
+.TP
+.BI "--reply-key-dst " "KEY"
+Destination key in reply direction (in hexadecimal or decimal)
+.TP
+.SH DIAGNOSTICS
+The exit code is 0 for correct function. Errors which appear to be caused by
+invalid command line parameters cause an exit code of 2. Any other errors
+cause an exit code of 1.
+.SH EXAMPLES
+.TP
+.B conntrack \-L
+Show the connection tracking table in /proc/net/ip_conntrack format
+.TP
+.B conntrack \-L -o extended
+Show the connection tracking table in /proc/net/nf_conntrack format
+.TP
+.B conntrack \-L \-o xml
+Show the connection tracking table in XML
+.TP
+.B conntrack \-L -f ipv6 -o extended
+Only dump IPv6 connections in /proc/net/nf_conntrack format
+.TP
+.B conntrack \-L --src-nat
+Show source NAT connections
+.TP
+.B conntrack \-E \-o timestamp
+Show connection events together with the timestamp
+.TP
+.B conntrack \-D \-s 1.2.3.4
+Delete all flow whose source address is 1.2.3.4
+.TP
+.B conntrack \-U \-s 1.2.3.4 \-m 1
+Set connmark to 1 of all the flows whose source address is 1.2.3.4
+.SH BUGS
+Please, report them to netfilter-devel@vger.kernel.org or file a bug in
+Netfilter's bugzilla (https://bugzilla.netfilter.org).
+.SH SEE ALSO
+.BR iptables (8)
+.br
+See
+.BR "http://conntrack-tools.netfilter.org"
+.SH AUTHORS
+Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote the kernel-level "ctnetlink" interface that is used by the conntrack tool.
+.PP
+Pablo Neira Ayuso wrote and maintain the conntrack tool, Harald Welte added support for conntrack based accounting counters.
+.PP
+Man page written by Harald Welte <laforge@netfilter.org> and Pablo Neira Ayuso <pablo@netfilter.org>.
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-14 04:49:29 +0000