1CONNTRACK(8) CONNTRACK(8)
2
6 conntrack - command line interface for netfilter connection tracking
7
9 conntrack -L [table] [-z]
10 conntrack -G [table] parameters
11 conntrack -D [table] paramaters
12 conntrack -I [table] parameters
13 conntrack -U [table] parameters
14 conntrack -E [table] parameters
15 conntrack -F [table]
16 conntrack -C [table]
17 conntrack -S
18
20 conntrack provides a full featured userspace interface to the netfilter
21 connection tracking system that is intended to replace the old
22 /proc/net/ip_conntrack interface. This tool can be used to search,
23 list, inspect and maintain the connection tracking subsystem of the
24 Linux kernel. Using conntrack , you can dump a list of all (or a fil‐
25 tered selection of) currently tracked connections, delete connections
26 from the state table, and even add new ones.
27 In addition, you can also monitor connection tracking events, e.g. show
29 an event message (one line) per newly established connection.
30
32 The connection tracking subsystem maintains two internal tables:
33 conntrack:
35 This is the default table. It contains a list of all currently
36 tracked connections through the system. If you don't use con‐
37 nection tracking exemptions (NOTRACK iptables target), this
38 means all connections that go through the system.
39 expect:
41 This is the table of expectations. Connection tracking expecta‐
42 tions are the mechanism used to "expect" RELATED connections to
43 existing ones. Expectations are generally used by "connection
44 tracking helpers" (sometimes called application level gateways
45 [ALGs]) for more complex protocols such as FTP, SIP, H.323.
46
48 The options recognized by conntrack can be divided into several differ‐
49 ent groups.
50 COMMANDS
52 These options specify the particular operation to perform. Only one of
53 them can be specified at any given time.
54 -L --dump
56 List connection tracking or expectation table
57 -G, --get
59 Search for and show a particular (matching) entry in the given
60 table.
61 -D, --delete
63 Delete an entry from the given table.
64 -I, --create
66 Create a new entry from the given table.
67 -U, --update
69 Update an entry from the given table.
70 -E, --event
72 Display a real-time event log.
73 -F, --flush
75 Flush the whole given table
76 -C, --count
78 Show the table counter.
79 -S, --stats
81 Show the in-kernel connection tracking system statistics.
82 PARAMETERS
84 -z, --zero
85 Atomically zero counters after reading them. This option is
86 only valid in combination with the "-L, --dump" command options.
87 -o, --output [extended,xml,timestamp,id]
89 Display output in a certain format.
90 -e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]
92 Set the bitmask of events that are to be generated by the in-
93 kernel ctnetlink event code. Using this parameter, you can
94 reduce the event messages generated by the kernel to those types
95 to those that you are actually interested in. This option can
96 only be used in conjunction with "-E, --event". -b, --buffer-
97 size value (in bytes) Set the Netlink socket buffer size. This
98 option is useful if the command line tool reports ENOBUFS
99 errors. If you do not pass this option, the default value avail‐
100 able at /proc/sys/net/core/rmem_default is used. The tool
101 reports this problem if your process is too slow to handle all
102 the event messages or, in other words, if the amount of events
103 are big enough to overrun the socket buffer. Note that using a
104 big buffer reduces the chances to hit ENOBUFS, however, this
105 results in more memory consumption. This option can only be
106 used in conjunction with "-E, --event".
107 FILTER PARAMETERS
109 -s, --orig-src IP_ADDRESS
110 Match only entries whose source address in the original direc‐
111 tion equals the one specified as argument.
112 -d, --orig-dst IP_ADDRESS
114 Match only entries whose destination address in the original
115 direction equals the one specified as argument.
116 -r, --reply-src IP_ADDRESS
118 Match only entries whose source address in the reply direction
119 equals the one specified as argument.
120 -q, --reply-dst IP_ADDRESS
122 Match only entries whose destination address in the reply direc‐
123 tion equals the one specified as argument.
124 -p, --proto PROTO
126 Specify layer four (TCP, UDP, ...) protocol.
127 -f, --family PROTO
129 Specify layer three (ipv4, ipv6) protocol This option is only
130 required in conjunction with "-L, --dump". If this option is not
131 passed, the default layer 3 protocol will be IPv4.
132 -t, --timeout TIMEOUT
134 Specify the timeout. -m, --mark MARK Specify the conntrack
135 mark.
136 -c, --secmark SECMARK
138 Specify the conntrack selinux security mark.
139 -u, --status [ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|UNSET][,...]
141 Specify the conntrack status.
142 -n, --src-nat
144 Filter source NAT connections.
145 -g, --dst-nat
147 Filter destination NAT connections.
148 --tuple-src IP_ADDRESS
150 Specify the tuple source address of an expectation.
151 --tuple-dst IP_ADDRESS
153 Specify the tuple destination address of an expectation.
154 --mask-src IP_ADDRESS
156 Specify the source address mask of an expectation.
157 --mask-dst IP_ADDRESS
159 Specify the destination address mask of an expectation.
160 PROTOCOL FILTER PARAMETERS
162 TCP-specific fields:
163 --sport, --orig-port-src PORT
165 Source port in original direction
166 --dport, --orig-port-dst PORT
168 Destination port in original direction
169 --reply-port-src PORT
171 Source port in reply direction
172 --reply-port-dst PORT
174 Destination port in reply direction
175 --state [NONE | SYN_SENT | SYN_RECV | ESTABLISHED | FIN_WAIT |
177 CLOSE_WAIT | LAST_ACK | TIME_WAIT | CLOSE | LISTEN]
178 TCP state
179 UDP-specific fields:
181 --sport, --orig-port-src PORT
183 Source port in original direction
184 --dport, --orig-port-dst PORT
186 Destination port in original direction
187 --reply-port-src PORT
189 Source port in reply direction
190 --reply-port-dst PORT
192 Destination port in reply direction
193 ICMP-specific fields:
195 --icmp-type TYPE
197 ICMP Type. Has to be specified numerically.
198 --icmp-code CODE
200 ICMP Code. Has to be specified numerically.
201 --icmp-id ID
203 ICMP Id. Has to be specified numerically (non-mandatory)
204 UDPlite-specific fields:
206 --sport, --orig-port-src PORT
208 Source port in original direction
209 --dport, --orig-port-dst PORT
211 Destination port in original direction
212 --reply-port-src PORT
214 Source port in reply direction
215 --reply-port-dst PORT
217 Destination port in reply direction
218 SCTP-specific fields:
220 --sport, --orig-port-src PORT
222 Source port in original direction
223 --dport, --orig-port-dst PORT
225 Destination port in original direction
226 --reply-port-src PORT
228 Source port in reply direction
229 --reply-port-dst PORT
231 Destination port in reply direction
232 --state [NONE | CLOSED | COOKIE_WAIT | COOKIE_ECHOED | ESTABLISHED |
234 SHUTDOWN_SENT | SHUTDOWN_RECD | SHUTDOWN_ACK_SENT]
235 SCTP state
236 --orig-vtag value
238 Verification tag (32-bits value) in the original direction
239 --reply-vtag value
241 Verification tag (32-bits value) in the reply direction
242 DCCP-specific fields (needs Linux >= 2.6.30):
244 --sport, --orig-port-src PORT
246 Source port in original direction
247 --dport, --orig-port-dst PORT
249 Destination port in original direction
250 --reply-port-src PORT
252 Source port in reply direction
253 --reply-port-dst PORT
255 Destination port in reply direction
256 --state [NONE | REQUEST | RESPOND | PARTOPEN | OPEN | CLOSEREQ | CLOS‐
258 ING | TIMEWAIT]
259 DCCP state --role [client | server] Role that the original con‐
260 ntrack tuple is tracking
261 GRE-specific fields:
263 --srckey, --orig-key-src KEY
265 Source key in original direction (in hexadecimal or decimal)
266 --dstkey, --orig-key-dst KEY
268 Destination key in original direction (in hexadecimal or deci‐
269 mal)
270 --reply-key-src KEY
272 Source key in reply direction (in hexadecimal or decimal)
273 --reply-key-dst KEY
275 Destination key in reply direction (in hexadecimal or decimal)
276 DIAGNOSTICS
279 The exit code is 0 for correct function. Errors which appear to
280 be caused by invalid command line parameters cause an exit code
281 of 2. Any other errors cause an exit code of 1.
282
284 conntrack -L
285 Show the connection tracking table in /proc/net/ip_conntrack
286 format
287 conntrack -L -o extended
289 Show the connection tracking table in /proc/net/nf_conntrack
290 format
291 conntrack -L -o xml
293 Show the connection tracking table in XML
294 conntrack -L -f ipv6 -o extended
296 Only dump IPv6 connections in /proc/net/nf_conntrack format
297 conntrack -L --src-nat
299 Show source NAT connections
300 conntrack -E -o timestamp
302 Show connection events together with the timestamp
303 conntrack -D -s 1.2.3.4
305 Delete all flow whose source address is 1.2.3.4
306 conntrack -U -s 1.2.3.4 -m 1
308 Set connmark to 1 of all the flows whose source address is
309 1.2.3.4
310
312 Please, report them to netfilter-devel@vger.kernel.org or file a bug in
313 Netfilter's bugzilla (https://bugzilla.netfilter.org).
314
316 iptables(8)
317 See http://conntrack-tools.netfilter.org
318
320 Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote
321 the kernel-level "ctnetlink" interface that is used by the conntrack
322 tool.
323 Pablo Neira Ayuso wrote and maintain the conntrack tool, Harald Welte
325 added support for conntrack based accounting counters.
326 Man page written by Harald Welte <laforge@netfilter.org> and Pablo
328 Neira Ayuso <pablo@netfilter.org>.
329 Apr 11, 2009 CONNTRACK(8)