1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
.TH CONNTRACK 8 "May 6, 2007" "" ""
.\" Man page written by Harald Welte <laforge@netfilter.org (Jun 2005)
.\" Maintained by Pablo Neira Ayuso <pablo@netfilter.org (May 2007)
.SH NAME
conntrack \- administration tool for netfilter connection tracking
.SH SYNOPSIS
.BR "conntrack -L [table] [-z]"
.br
.BR "conntrack -G [table] parameters"
.br
.BR "conntrack -D [table] paramaters"
.br
.BR "conntrack -I [table] parameters"
.br
.BR "conntrack -E [table] parameters"
.br
.BR "conntrack -F [table]"
.SH DESCRIPTION
.B conntrack
is used to search, list, inspect and maintain the netfilter connection tracking
subsystem of the Linux kernel.
.PP
Using
.B conntrack
, you can dump a list of all (or a filtered selection of) currently tracked
connections, delete connections from the state table, and even add new ones.
.PP
In addition, you can also monitor connection tracking events, e.g. show an
event message (one line) per newly established connection.
.SH TABLES
The connection tracking subsystem maintains two internal tables:
.TP
.BR "conntrack" :
This is the default table. It contains a list of all currently tracked
connections through the system. If you don't use connection tracking
exemptions (NOTRACK iptables target), this means all connections that go
through the system.
.TP
.BR "expect" :
This is the table of expectations. Connection tracking expectations are the
mechanism used to "expect" RELATED connections to existing ones. Expectations
are generally used by "connection tracking helpers" (sometimes called
application level gateways [ALGs]) for more complex protocols such as FTP,
SIP, H.323.
.SH OPTIONS
The options recognized by
.B conntrack
can be divided into several different groups.
.SS COMMANDS
These options specify the particular operation to perform. Only one of them
can be specified at any given time.
.TP
.BI "-L --dump "
List connection tacking or expectation table
.TP
.BI "-G, --get "
Search for and show a particular (matching) entry in the given table.
.TP
.BI "-D, --delete "
Delete an entry from the given table.
.TP
.BI "-I, --create "
Create a new entry from the given table.
.TP
.BI "-E, --event "
Display a real-time event log.
.TP
.BI "-F, --flush "
Flush the whole given table
.SS PARAMETERS
.TP
.BI "-z, --zero "
Atomically zero counters after reading them. This option is only valid in
combination with the "-L, --dump" command options.
.TP
.BI "-x, --xml "
Display output in XML format. This option is only valid in combination with
the "-L, --dump", "-E, --event" and "-G, --get" command options.
.TP
.BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]"
Set the bitmask of events that are to be generated by the in-kernel ctnetlink
event code. Using this parameter, you can reduce the event messages generated
by the kernel to those types to those that you are actually interested in.
.
This option can only be used in conjunction with "-E, --event".
.SS FILTER PARAMETERS
.TP
.BI "-s, --orig-src " IP_ADDRESS
Match only entries whose source address in the original direction equals the one specified as argument.
.TP
.BI "-d, --orig-dst " IP_ADDRESS
Match only entries whose destination address in the original direction equals the one specified as argument.
.TP
.BI "-r, --reply-src " IP_ADDRESS
Match only entries whose source address in the reply direction equals the one specified as argument.
.TP
.BI "-q, --reply-dst " IP_ADDRESS
Match only entries whose destination address in the reply direction equals the one specified as argument.
.TP
.BI "-p, --proto " "PROTO "
Specify layer four (TCP, UDP, ...) protocol.
.TP
.BI "-f, --family " "PROTO"
Specify layer three (ipv4, ipv6) protocol
This option is only required in conjunction with "-L, --dump". If this option is not passed, the default layer 3 protocol will be IPv4.
.TP
.BI "-t, --timeout " "TIMEOUT"
Specify the timeout.
.TP
.BI "-u, --status " "[ASSURED|SEEN_REPLY|UNSET|SRC_NAT|DST_NAT][,...]"
Specify the conntrack status.
.TP
.BI "-i, --id " "ID"
Specify the conntrack ID.
.
This option can only be used in conjunction with "-L, --dump" to display the conntrack IDs.
.TP
.BI "--tuple-src " IP_ADDRESS
Specify the tuple source address of an expectation.
.TP
.BI "--tuple-dst " IP_ADDRESS
Specify the tuple destination address of an expectation.
.TP
.BI "--mask-src " IP_ADDRESS
Specify the source address mask of an expectation.
.TP
.BI "--mask-dst " IP_ADDRESS
Specify the destination address mask of an expectation.
.SH DIAGNOSTICS
The exit code is 0 for correct function. Errors which appear to be caused by
invalid command line parameters cause an exit code of 2. Any other errors
cause an exit code of 1.
.SH BUGS
Bugs? What's this ;-)
.SH SEE ALSO
.BR iptables (8)
.br
See
.BR "http://netfilter.org/" .
.SH AUTHORS
Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira wrote the kernel-level "ctnetlink" interface that is used by the conntrack tool.
.PP
Pablo Neira wrote the conntrack tool, Harald Welte added support for conntrack based accounting counters.
.PP
Man page written by Harald Welte <laforge@netfilter.org> and Pablo Neira Ayuso <pablo@netfilter.org>.
|