conntrack(8)

1CONNTRACK(8)                                                      CONNTRACK(8)
2
3
4

NAME

6       conntrack - command line interface for netfilter connection tracking
7

SYNOPSIS

9       conntrack -L [table] [options] [-z]
10       conntrack -G [table] parameters
11       conntrack -D [table] parameters
12       conntrack -I [table] parameters
13       conntrack -U [table] parameters
14       conntrack -E [table] [options]
15       conntrack -F [table]
16       conntrack -C [table]
17       conntrack -S
18

DESCRIPTION

20       conntrack provides a full featured userspace interface to the netfilter
21       connection  tracking  system  that  is  intended  to  replace  the  old
22       /proc/net/ip_conntrack  interface.  This  tool  can  be used to search,
23       list, inspect and maintain the connection  tracking  subsystem  of  the
24       Linux  kernel.  Using conntrack , you can dump a list of all (or a fil‐
25       tered selection of) currently tracked connections,  delete  connections
26       from the state table, and even add new ones.
27
28       In addition, you can also monitor connection tracking events, e.g. show
29       an event message (one line) per newly established connection.
30

TABLES

32       The connection tracking subsystem maintains two internal tables:
33
34       conntrack:
35              This is the default table.  It contains a list of all  currently
36              tracked  connections  through the system.  If you don't use con‐
37              nection tracking  exemptions  (NOTRACK  iptables  target),  this
38              means all connections that go through the system.
39
40       expect:
41              This is the table of expectations.  Connection tracking expecta‐
42              tions are the mechanism used to "expect" RELATED connections  to
43              existing  ones.   Expectations are generally used by "connection
44              tracking helpers" (sometimes called application  level  gateways
45              [ALGs]) for more complex protocols such as FTP, SIP, H.323.
46
47       dying: This  table  shows  the conntrack entries, that have expired and
48              that have been  destroyed  by  the  connection  tracking  system
49              itself, or via the conntrack utility.
50
51       unconfirmed:
52              This table shows new entries, that are not yet inserted into the
53              conntrack table.  These entries are attached to packets that are
54              traversing  the  stack, but did not reach the confirmation point
55              at the postrouting hook.
56
57       The tables "dying" and "unconfirmed"  are  basically  only  useful  for
58       debugging  purposes.  Under normal operation, it is hard to see entries
59       in any of them.  There are corner cases,  where  it  is  valid  to  see
60       entries  in  the  unconfirmed table, eg. when packets that are enqueued
61       via nfqueue, and the dying table, eg. when  conntrackd  runs  in  event
62       reliable mode.
63

OPTIONS

65       The options recognized by conntrack can be divided into several differ‐
66       ent groups.
67
68   COMMANDS
69       These options specify the particular operation to perform.  Only one of
70       them can be specified at any given time.
71
72       -L --dump
73              List connection tracking or expectation table
74
75       -G, --get
76              Search  for  and show a particular (matching) entry in the given
77              table.
78
79       -D, --delete
80              Delete an entry from the given table.
81
82       -I, --create
83              Create a new entry from the given table.
84
85       -U, --update
86              Update an entry from the given table.
87
88       -E, --event
89              Display a real-time event log.
90
91       -F, --flush
92              Flush the whole given table
93
94       -C, --count
95              Show the table counter.
96
97       -S, --stats
98              Show the in-kernel connection tracking system statistics.
99
100   PARAMETERS
101       -z, --zero
102              Atomically zero counters after reading  them.   This  option  is
103              only valid in combination with the "-L, --dump" command options.
104
105       -o, --output [extended,xml,timestamp,id,ktimestamp,labels]
106              Display  output  in  a  certain format. With the extended output
107              option, this tool displays the layer 3 information. With ktimes‐
108              tamp, it displays the in-kernel timestamp available since 2.6.38
109              (you can enable it via echo 1 >  /proc/sys/net/netfilter/nf_con‐
110              ntrack_timestamp).   The labels output option tells conntrack to
111              show the names of  connection  tracking  labels  that  might  be
112              present.
113
114       -e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]
115              Set  the  bitmask  of events that are to be generated by the in-
116              kernel ctnetlink event code.   Using  this  parameter,  you  can
117              reduce the event messages generated by the kernel to those types
118              to those that you are actually interested in.  This  option  can
119              only be used in conjunction with "-E, --event".
120
121       -b, --buffer-size value (in bytes)
122              Set the Netlink socket buffer size. This option is useful if the
123              command line tool reports ENOBUFS errors. If  you  do  not  pass
124              this     option,     the     default    value    available    at
125              /proc/sys/net/core/rmem_default is used. The tool  reports  this
126              problem if your process is too slow to handle all the event mes‐
127              sages or, in other words, if the amount of events are big enough
128              to  overrun  the  socket  buffer.  Note  that using a big buffer
129              reduces the chances to hit ENOBUFS,  however,  this  results  in
130              more  memory  consumption.  This option can only be used in con‐
131              junction with "-E, --event".
132
133   FILTER PARAMETERS
134       -s, --src, --orig-src IP_ADDRESS
135              Match only entries whose source address in the  original  direc‐
136              tion equals the one specified as argument.  Implies "--mask-src"
137              when CIDR notation is used.
138
139       -d, --dst, --orig-dst IP_ADDRESS
140              Match only entries whose destination  address  in  the  original
141              direction   equals  the  one  specified  as  argument.   Implies
142              "--mask-dst" when CIDR notation is used.
143
144       -r, --reply-src IP_ADDRESS
145              Match only entries whose source address in the  reply  direction
146              equals the one specified as argument.
147
148       -q, --reply-dst IP_ADDRESS
149              Match only entries whose destination address in the reply direc‐
150              tion equals the one specified as argument.
151
152       -p, --proto PROTO
153              Specify layer four (TCP, UDP, ...) protocol.
154
155       -f, --family PROTO
156              Specify layer three (ipv4, ipv6) protocol This  option  is  only
157              required in conjunction with "-L, --dump". If this option is not
158              passed, the default layer 3 protocol will be IPv4.
159
160       -t, --timeout TIMEOUT
161              Specify the timeout.
162
163       -m, --mark MARK[/MASK]
164              Specify the conntrack mark.  Optionally, a  mask  value  can  be
165              specified.   In  "--update"  mode,  this mask specifies the bits
166              that should be zeroed before XORing  the  MARK  value  into  the
167              ctmark.   Otherwise, the mask is logically ANDed with the exist‐
168              ing mark before the comparision.  In "--create" mode,  the  mask
169              is ignored.
170
171       -l, --label LABEL
172              Specify  a  conntrack  label.   This option is only available in
173              conjunction with "-L, --dump", "-E, --event", "-U  --update"  or
174              "-D  --delete".  Match entries whose labels match at least those
175              specified.  Use multiple -l commands to specify multiple  labels
176              that  need  to  be  set.   Match entries whose labels matches at
177              least those specified as arguments.  --label-add  LABEL  Specify
178              the  conntrack label to add to to the selected conntracks.  This
179              option is only available in conjunction with "-I,  --create"  or
180              "-U, --update".  --label-del [LABEL] Specify the conntrack label
181              to delete from the selected conntracks.  If no label  is  given,
182              all  labels  are deleted.  This option is only available in con‐
183              junction with "-U, --update".
184
185       -c, --secmark SECMARK
186              Specify the conntrack selinux security mark.
187
188       -u, --status [ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|UNSET][,...]
189              Specify the conntrack status.
190
191       -n, --src-nat
192              Filter source NAT connections.
193
194       -g, --dst-nat
195              Filter destination NAT connections.
196
197       -j, --any-nat
198              Filter any NAT connections.
199
200       -w, --zone
201              Filter by conntrack zone. See iptables CT target for more infor‐
202              mation.
203
204       --orig-zone
205              Filter by conntrack zone in original direction.  See iptables CT
206              target for more information.
207
208       --reply-zone
209              Filter by conntrack zone in reply direction.   See  iptables  CT
210              target for more information.
211
212       --tuple-src IP_ADDRESS
213              Specify  the  tuple  source  address of an expectation.  Implies
214              "--mask-src" when CIDR notation is used.
215
216       --tuple-dst IP_ADDRESS
217              Specify  the  tuple  destination  address  of  an   expectation.
218              Implies "--mask-dst" when CIDR notation is used.
219
220       --mask-src IP_ADDRESS
221              Specify  the  source address mask.  For conntrack this option is
222              only available in conjunction with "-L, --dump", "-E,  --event",
223              "-U --update" or "-D --delete".  For expectations this option is
224              only available in conjunction with "-I, --create".
225
226       --mask-dst IP_ADDRESS
227              Specify the destination address mask.  Same limitations  as  for
228              "--mask-src".
229
230   PROTOCOL FILTER PARAMETERS
231       TCP-specific fields:
232
233       --sport, --orig-port-src PORT
234              Source port in original direction
235
236       --dport, --orig-port-dst PORT
237              Destination port in original direction
238
239       --reply-port-src PORT
240              Source port in reply direction
241
242       --reply-port-dst PORT
243              Destination port in reply direction
244
245       --state  [NONE  |  SYN_SENT  |  SYN_RECV  |  ESTABLISHED  |  FIN_WAIT |
246       CLOSE_WAIT | LAST_ACK | TIME_WAIT | CLOSE | LISTEN]
247              TCP state
248
249       UDP-specific fields:
250
251       --sport, --orig-port-src PORT
252              Source port in original direction
253
254       --dport, --orig-port-dst PORT
255              Destination port in original direction
256
257       --reply-port-src PORT
258              Source port in reply direction
259
260       --reply-port-dst PORT
261              Destination port in reply direction
262
263       ICMP-specific fields:
264
265       --icmp-type TYPE
266              ICMP Type. Has to be specified numerically.
267
268       --icmp-code CODE
269              ICMP Code. Has to be specified numerically.
270
271       --icmp-id ID
272              ICMP Id. Has to be specified numerically (non-mandatory)
273
274       UDPlite-specific fields:
275
276       --sport, --orig-port-src PORT
277              Source port in original direction
278
279       --dport, --orig-port-dst PORT
280              Destination port in original direction
281
282       --reply-port-src PORT
283              Source port in reply direction
284
285       --reply-port-dst PORT
286              Destination port in reply direction
287
288       SCTP-specific fields:
289
290       --sport, --orig-port-src PORT
291              Source port in original direction
292
293       --dport, --orig-port-dst PORT
294              Destination port in original direction
295
296       --reply-port-src PORT
297              Source port in reply direction
298
299       --reply-port-dst PORT
300              Destination port in reply direction
301
302       --state [NONE | CLOSED | COOKIE_WAIT | COOKIE_ECHOED  |  ESTABLISHED  |
303       SHUTDOWN_SENT | SHUTDOWN_RECD | SHUTDOWN_ACK_SENT]
304              SCTP state
305
306       --orig-vtag value
307              Verification tag (32-bits value) in the original direction
308
309       --reply-vtag value
310              Verification tag (32-bits value) in the reply direction
311
312       DCCP-specific fields (needs Linux >= 2.6.30):
313
314       --sport, --orig-port-src PORT
315              Source port in original direction
316
317       --dport, --orig-port-dst PORT
318              Destination port in original direction
319
320       --reply-port-src PORT
321              Source port in reply direction
322
323       --reply-port-dst PORT
324              Destination port in reply direction
325
326       --state  [NONE | REQUEST | RESPOND | PARTOPEN | OPEN | CLOSEREQ | CLOS‐
327       ING | TIMEWAIT]
328              DCCP state --role [client | server] Role that the original  con‐
329              ntrack tuple is tracking
330
331       GRE-specific fields:
332
333       --srckey, --orig-key-src KEY
334              Source key in original direction (in hexadecimal or decimal)
335
336       --dstkey, --orig-key-dst KEY
337              Destination  key  in original direction (in hexadecimal or deci‐
338              mal)
339
340       --reply-key-src KEY
341              Source key in reply direction (in hexadecimal or decimal)
342
343       --reply-key-dst KEY
344              Destination key in reply direction (in hexadecimal or decimal)
345
346
347       DIAGNOSTICS
348              The exit code is 0 for correct function.  Errors which appear to
349              be  caused by invalid command line parameters cause an exit code
350              of 2.  Any other errors cause an exit code of 1.
351

EXAMPLES

353       conntrack -L
354              Show the connection  tracking  table  in  /proc/net/ip_conntrack
355              format
356
357       conntrack -L -o extended
358              Show  the  connection  tracking  table in /proc/net/nf_conntrack
359              format
360
361       conntrack -L -o xml
362              Show the connection tracking table in XML
363
364       conntrack -L -f ipv6 -o extended
365              Only dump IPv6 connections in /proc/net/nf_conntrack format
366
367       conntrack -L --src-nat
368              Show source NAT connections
369
370       conntrack -E -o timestamp
371              Show connection events together with the timestamp
372
373       conntrack -D -s 1.2.3.4
374              Delete all flow whose source address is 1.2.3.4
375
376       conntrack -U -s 1.2.3.4 -m 1
377              Set connmark to 1 of all  the  flows  whose  source  address  is
378              1.2.3.4
379

BUGS

381       Please, report them to netfilter-devel@vger.kernel.org or file a bug in
382       Netfilter's bugzilla (https://bugzilla.netfilter.org).
383

AUTHORS

389       Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote
390       the  kernel-level  "ctnetlink"  interface that is used by the conntrack
391       tool.
392
393       Pablo Neira Ayuso wrote and maintain the conntrack tool,  Harald  Welte
394       added support for conntrack based accounting counters.
395
396       Man  page  written  by  Harald  Welte <laforge@netfilter.org> and Pablo
397       Neira Ayuso <pablo@netfilter.org>.
398
399
400
401                                 Aug 24, 2015                     CONNTRACK(8)