1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
|
.TH CONNTRACK 8 "Aug 24, 2015" "" ""
.\" Man page written by Harald Welte <laforge@netfilter.org (Jun 2005)
.\" Maintained by Pablo Neira Ayuso <pablo@netfilter.org (May 2007)
.SH NAME
conntrack \- command line interface for netfilter connection tracking
.SH SYNOPSIS
.BR "conntrack -L [table] [options] [-z]"
.br
.BR "conntrack -G [table] parameters"
.br
.BR "conntrack -D [table] parameters"
.br
.BR "conntrack -I [table] parameters"
.br
.BR "conntrack -U [table] parameters"
.br
.BR "conntrack -E [table] [options]"
.br
.BR "conntrack -F [table]"
.br
.BR "conntrack -C [table]"
.br
.BR "conntrack -S "
.SH DESCRIPTION
.B conntrack
provides a full featured userspace interface to the netfilter connection tracking system that is intended to replace the old /proc/net/ip_conntrack interface. This tool can be used to search, list, inspect and maintain the connection tracking subsystem of the Linux kernel.
Using
.B conntrack
, you can dump a list of all (or a filtered selection of) currently tracked
connections, delete connections from the state table, and even add new ones.
.PP
In addition, you can also monitor connection tracking events, e.g. show an
event message (one line) per newly established connection.
.SH TABLES
The connection tracking subsystem maintains two internal tables:
.TP
.BR "conntrack" :
This is the default table. It contains a list of all currently tracked
connections through the system. If you don't use connection tracking
exemptions (NOTRACK iptables target), this means all connections that go
through the system.
.TP
.BR "expect" :
This is the table of expectations. Connection tracking expectations are the
mechanism used to "expect" RELATED connections to existing ones. Expectations
are generally used by "connection tracking helpers" (sometimes called
application level gateways [ALGs]) for more complex protocols such as FTP,
SIP, H.323.
.SH OPTIONS
The options recognized by
.B conntrack
can be divided into several different groups.
.SS COMMANDS
These options specify the particular operation to perform. Only one of them
can be specified at any given time.
.TP
.BI "-L --dump "
List connection tracking or expectation table
.TP
.BI "-G, --get "
Search for and show a particular (matching) entry in the given table.
.TP
.BI "-D, --delete "
Delete an entry from the given table.
.TP
.BI "-I, --create "
Create a new entry from the given table.
.TP
.BI "-U, --update "
Update an entry from the given table.
.TP
.BI "-E, --event "
Display a real-time event log.
.TP
.BI "-F, --flush "
Flush the whole given table
.TP
.BI "-C, --count "
Show the table counter.
.TP
.BI "-S, --stats "
Show the in-kernel connection tracking system statistics.
.SS PARAMETERS
.TP
.BI "-z, --zero "
Atomically zero counters after reading them. This option is only valid in
combination with the "\-L, \-\-dump" command options.
.TP
.BI "-o, --output [extended,xml,timestamp,id,ktimestamp,labels] "
Display output in a certain format. With the extended output option, this tool
displays the layer 3 information. With ktimestamp, it displays the in-kernel
timestamp available since 2.6.38 (you can enable it via echo 1 >
/proc/sys/net/netfilter/nf_conntrack_timestamp).
The labels output option tells conntrack to show the names of connection
tracking labels that might be present.
.TP
.BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]"
Set the bitmask of events that are to be generated by the in-kernel ctnetlink
event code. Using this parameter, you can reduce the event messages generated
by the kernel to those types to those that you are actually interested in.
.
This option can only be used in conjunction with "\-E, \-\-event".
.TP
.BI "-b, --buffer-size " "value (in bytes)"
Set the Netlink socket buffer size. This option is useful if the command line
tool reports ENOBUFS errors. If you do not pass this option, the default value
available at /proc/sys/net/core/rmem_default is used. The tool reports this
problem if your process is too slow to handle all the event messages or, in
other words, if the amount of events are big enough to overrun the socket
buffer. Note that using a big buffer reduces the chances to hit ENOBUFS,
however, this results in more memory consumption.
.
This option can only be used in conjunction with "\-E, \-\-event".
.SS FILTER PARAMETERS
.TP
.BI "-s, --orig-src " IP_ADDRESS
Match only entries whose source address in the original direction equals the one specified as argument.
.TP
.BI "-d, --orig-dst " IP_ADDRESS
Match only entries whose destination address in the original direction equals the one specified as argument.
.TP
.BI "-r, --reply-src " IP_ADDRESS
Match only entries whose source address in the reply direction equals the one specified as argument.
.TP
.BI "-q, --reply-dst " IP_ADDRESS
Match only entries whose destination address in the reply direction equals the one specified as argument.
.TP
.BI "-p, --proto " "PROTO "
Specify layer four (TCP, UDP, ...) protocol.
.TP
.BI "-f, --family " "PROTO"
Specify layer three (ipv4, ipv6) protocol
This option is only required in conjunction with "\-L, \-\-dump". If this option is not passed, the default layer 3 protocol will be IPv4.
.TP
.BI "-t, --timeout " "TIMEOUT"
Specify the timeout.
.TP
.BI "-m, --mark " "MARK[/MASK]"
Specify the conntrack mark. Optionally, a mask value can be specified.
In "\-\-update" mode, this mask specifies the bits that should be zeroed before XORing
the MARK value into the ctmark.
Otherwise, the mask is logically ANDed with the existing mark before the comparision.
In "\-\-create" mode, the mask is ignored.
.TP
.BI "-l, --label " "LABEL"
Specify a conntrack label.
This option is only available in conjunction with "\-L, \-\-dump", "\-E, \-\-event", or "\-U \-\-update".
Match entries whose labels match at least those specified.
Use multiple \-l commands to specify multiple labels that need to be set.
Match entries whose labels matches at least those specified as arguments.
.BI "--label-add " "LABEL"
Specify the conntrack label to add to to the selected conntracks.
This option is only available in conjunction with "\-I, \-\-create" or "\-U, \-\-update".
.BI "--label-del " "[LABEL]"
Specify the conntrack label to delete from the selected conntracks.
If no label is given, all labels are deleted.
This option is only available in conjunction with "\-U, \-\-update".
.TP
.BI "-c, --secmark " "SECMARK"
Specify the conntrack selinux security mark.
.TP
.BI "-u, --status " "[ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|UNSET][,...]"
Specify the conntrack status.
.TP
.BI "-n, --src-nat "
Filter source NAT connections.
.TP
.BI "-g, --dst-nat "
Filter destination NAT connections.
.TP
.BI "-j, --any-nat "
Filter any NAT connections.
.TP
.BI "-w, --zone "
Filter by conntrack zone. See iptables CT target for more information.
.TP
.BI "--orig-zone "
Filter by conntrack zone in original direction.
See iptables CT target for more information.
.TP
.BI "--reply-zone "
Filter by conntrack zone in reply direction.
See iptables CT target for more information.
.TP
.BI "--tuple-src " IP_ADDRESS
Specify the tuple source address of an expectation.
.TP
.BI "--tuple-dst " IP_ADDRESS
Specify the tuple destination address of an expectation.
.TP
.BI "--mask-src " IP_ADDRESS
Specify the source address mask of an expectation.
.TP
.BI "--mask-dst " IP_ADDRESS
Specify the destination address mask of an expectation.
.SS PROTOCOL FILTER PARAMETERS
.TP
TCP-specific fields:
.TP
.BI "--sport, --orig-port-src " "PORT"
Source port in original direction
.TP
.BI "--dport, --orig-port-dst " "PORT"
Destination port in original direction
.TP
.BI "--reply-port-src " "PORT"
Source port in reply direction
.TP
.BI "--reply-port-dst " "PORT"
Destination port in reply direction
.TP
.BI "--state " "[NONE | SYN_SENT | SYN_RECV | ESTABLISHED | FIN_WAIT | CLOSE_WAIT | LAST_ACK | TIME_WAIT | CLOSE | LISTEN]"
TCP state
.TP
UDP-specific fields:
.TP
.BI "--sport, --orig-port-src " "PORT"
Source port in original direction
.TP
.BI "--dport, --orig-port-dst " "PORT"
Destination port in original direction
.TP
.BI "--reply-port-src " "PORT"
Source port in reply direction
.TP
.BI "--reply-port-dst " "PORT"
Destination port in reply direction
.TP
ICMP-specific fields:
.TP
.BI "--icmp-type " "TYPE"
ICMP Type. Has to be specified numerically.
.TP
.BI "--icmp-code " "CODE"
ICMP Code. Has to be specified numerically.
.TP
.BI "--icmp-id " "ID"
ICMP Id. Has to be specified numerically (non-mandatory)
.TP
UDPlite-specific fields:
.TP
.BI "--sport, --orig-port-src " "PORT"
Source port in original direction
.TP
.BI "--dport, --orig-port-dst " "PORT"
Destination port in original direction
.TP
.BI "--reply-port-src " "PORT"
Source port in reply direction
.TP
.BI "--reply-port-dst " "PORT"
Destination port in reply direction
.TP
SCTP-specific fields:
.TP
.BI "--sport, --orig-port-src " "PORT"
Source port in original direction
.TP
.BI "--dport, --orig-port-dst " "PORT"
Destination port in original direction
.TP
.BI "--reply-port-src " "PORT"
Source port in reply direction
.TP
.BI "--reply-port-dst " "PORT"
Destination port in reply direction
.TP
.BI "--state " "[NONE | CLOSED | COOKIE_WAIT | COOKIE_ECHOED | ESTABLISHED | SHUTDOWN_SENT | SHUTDOWN_RECD | SHUTDOWN_ACK_SENT]"
SCTP state
.TP
.BI "--orig-vtag " "value"
Verification tag (32-bits value) in the original direction
.TP
.BI "--reply-vtag " "value"
Verification tag (32-bits value) in the reply direction
.TP
DCCP-specific fields (needs Linux >= 2.6.30):
.TP
.BI "--sport, --orig-port-src " "PORT"
Source port in original direction
.TP
.BI "--dport, --orig-port-dst " "PORT"
Destination port in original direction
.TP
.BI "--reply-port-src " "PORT"
Source port in reply direction
.TP
.BI "--reply-port-dst " "PORT"
Destination port in reply direction
.TP
.BI "--state " "[NONE | REQUEST | RESPOND | PARTOPEN | OPEN | CLOSEREQ | CLOSING | TIMEWAIT]"
DCCP state
.BI "--role " "[client | server]"
Role that the original conntrack tuple is tracking
.TP
GRE-specific fields:
.TP
.BI "--srckey, --orig-key-src " "KEY"
Source key in original direction (in hexadecimal or decimal)
.TP
.BI "--dstkey, --orig-key-dst " "KEY"
Destination key in original direction (in hexadecimal or decimal)
.TP
.BI "--reply-key-src " "KEY"
Source key in reply direction (in hexadecimal or decimal)
.TP
.BI "--reply-key-dst " "KEY"
Destination key in reply direction (in hexadecimal or decimal)
.TP
.SH DIAGNOSTICS
The exit code is 0 for correct function. Errors which appear to be caused by
invalid command line parameters cause an exit code of 2. Any other errors
cause an exit code of 1.
.SH EXAMPLES
.TP
.B conntrack \-L
Show the connection tracking table in /proc/net/ip_conntrack format
.TP
.B conntrack \-L -o extended
Show the connection tracking table in /proc/net/nf_conntrack format
.TP
.B conntrack \-L \-o xml
Show the connection tracking table in XML
.TP
.B conntrack \-L -f ipv6 -o extended
Only dump IPv6 connections in /proc/net/nf_conntrack format
.TP
.B conntrack \-L --src-nat
Show source NAT connections
.TP
.B conntrack \-E \-o timestamp
Show connection events together with the timestamp
.TP
.B conntrack \-D \-s 1.2.3.4
Delete all flow whose source address is 1.2.3.4
.TP
.B conntrack \-U \-s 1.2.3.4 \-m 1
Set connmark to 1 of all the flows whose source address is 1.2.3.4
.SH BUGS
Please, report them to netfilter-devel@vger.kernel.org or file a bug in
Netfilter's bugzilla (https://bugzilla.netfilter.org).
.SH SEE ALSO
.BR iptables (8)
.br
See
.BR "http://conntrack-tools.netfilter.org"
.SH AUTHORS
Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote the kernel-level "ctnetlink" interface that is used by the conntrack tool.
.PP
Pablo Neira Ayuso wrote and maintain the conntrack tool, Harald Welte added support for conntrack based accounting counters.
.PP
Man page written by Harald Welte <laforge@netfilter.org> and Pablo Neira Ayuso <pablo@netfilter.org>.
|