1CONNTRACK(8) CONNTRACK(8)
2
3
4
6 conntrack - command line interface for netfilter connection tracking
7
9 conntrack -L [table] [options] [-z]
10 conntrack -G [table] parameters
11 conntrack -D [table] parameters
12 conntrack -I [table] parameters
13 conntrack -U [table] parameters
14 conntrack -E [table] [options]
15 conntrack -F [table]
16 conntrack -C [table]
17 conntrack -S
18
20 conntrack provides a full featured userspace interface to the netfilter
21 connection tracking system that is intended to replace the old
22 /proc/net/ip_conntrack interface. This tool can be used to search,
23 list, inspect and maintain the connection tracking subsystem of the
24 Linux kernel. Using conntrack , you can dump a list of all (or a fil‐
25 tered selection of) currently tracked connections, delete connections
26 from the state table, and even add new ones.
27
28 In addition, you can also monitor connection tracking events, e.g. show
29 an event message (one line) per newly established connection.
30
32 The connection tracking subsystem maintains two internal tables:
33
34 conntrack:
35 This is the default table. It contains a list of all currently
36 tracked connections through the system. If you don't use con‐
37 nection tracking exemptions (NOTRACK iptables target), this
38 means all connections that go through the system.
39
40 expect:
41 This is the table of expectations. Connection tracking expecta‐
42 tions are the mechanism used to "expect" RELATED connections to
43 existing ones. Expectations are generally used by "connection
44 tracking helpers" (sometimes called application level gateways
45 [ALGs]) for more complex protocols such as FTP, SIP, H.323.
46
47 dying: This table shows the conntrack entries, that have expired and
48 that have been destroyed by the connection tracking system
49 itself, or via the conntrack utility.
50
51 unconfirmed:
52 This table shows new entries, that are not yet inserted into the
53 conntrack table. These entries are attached to packets that are
54 traversing the stack, but did not reach the confirmation point
55 at the postrouting hook.
56
57 The tables "dying" and "unconfirmed" are basically only useful for
58 debugging purposes. Under normal operation, it is hard to see entries
59 in any of them. There are corner cases, where it is valid to see
60 entries in the unconfirmed table, eg. when packets that are enqueued
61 via nfqueue, and the dying table, eg. when conntrackd runs in event
62 reliable mode.
63
65 The options recognized by conntrack can be divided into several differ‐
66 ent groups.
67
68 COMMANDS
69 These options specify the particular operation to perform. Only one of
70 them can be specified at any given time.
71
72 -L --dump
73 List connection tracking or expectation table
74
75 -G, --get
76 Search for and show a particular (matching) entry in the given
77 table.
78
79 -D, --delete
80 Delete an entry from the given table.
81
82 -I, --create
83 Create a new entry from the given table.
84
85 -U, --update
86 Update an entry from the given table.
87
88 -E, --event
89 Display a real-time event log.
90
91 -F, --flush
92 Flush the whole given table
93
94 -C, --count
95 Show the table counter.
96
97 -S, --stats
98 Show the in-kernel connection tracking system statistics.
99
100 PARAMETERS
101 -z, --zero
102 Atomically zero counters after reading them. This option is
103 only valid in combination with the "-L, --dump" command options.
104
105 -o, --output [extended,xml,timestamp,id,ktimestamp,labels]
106 Display output in a certain format. With the extended output
107 option, this tool displays the layer 3 information. With ktimes‐
108 tamp, it displays the in-kernel timestamp available since 2.6.38
109 (you can enable it via echo 1 > /proc/sys/net/netfilter/nf_con‐
110 ntrack_timestamp). The labels output option tells conntrack to
111 show the names of connection tracking labels that might be
112 present.
113
114 -e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]
115 Set the bitmask of events that are to be generated by the in-
116 kernel ctnetlink event code. Using this parameter, you can
117 reduce the event messages generated by the kernel to those types
118 to those that you are actually interested in. This option can
119 only be used in conjunction with "-E, --event".
120
121 -b, --buffer-size value (in bytes)
122 Set the Netlink socket buffer size. This option is useful if the
123 command line tool reports ENOBUFS errors. If you do not pass
124 this option, the default value available at
125 /proc/sys/net/core/rmem_default is used. The tool reports this
126 problem if your process is too slow to handle all the event mes‐
127 sages or, in other words, if the amount of events are big enough
128 to overrun the socket buffer. Note that using a big buffer
129 reduces the chances to hit ENOBUFS, however, this results in
130 more memory consumption. This option can only be used in con‐
131 junction with "-E, --event".
132
133 FILTER PARAMETERS
134 -s, --src, --orig-src IP_ADDRESS
135 Match only entries whose source address in the original direc‐
136 tion equals the one specified as argument. Implies "--mask-src"
137 when CIDR notation is used.
138
139 -d, --dst, --orig-dst IP_ADDRESS
140 Match only entries whose destination address in the original
141 direction equals the one specified as argument. Implies
142 "--mask-dst" when CIDR notation is used.
143
144 -r, --reply-src IP_ADDRESS
145 Match only entries whose source address in the reply direction
146 equals the one specified as argument.
147
148 -q, --reply-dst IP_ADDRESS
149 Match only entries whose destination address in the reply direc‐
150 tion equals the one specified as argument.
151
152 -p, --proto PROTO
153 Specify layer four (TCP, UDP, ...) protocol.
154
155 -f, --family PROTO
156 Specify layer three (ipv4, ipv6) protocol This option is only
157 required in conjunction with "-L, --dump". If this option is not
158 passed, the default layer 3 protocol will be IPv4.
159
160 -t, --timeout TIMEOUT
161 Specify the timeout.
162
163 -m, --mark MARK[/MASK]
164 Specify the conntrack mark. Optionally, a mask value can be
165 specified. In "--update" mode, this mask specifies the bits
166 that should be zeroed before XORing the MARK value into the
167 ctmark. Otherwise, the mask is logically ANDed with the exist‐
168 ing mark before the comparision. In "--create" mode, the mask
169 is ignored.
170
171 -l, --label LABEL
172 Specify a conntrack label. This option is only available in
173 conjunction with "-L, --dump", "-E, --event", "-U --update" or
174 "-D --delete". Match entries whose labels match at least those
175 specified. Use multiple -l commands to specify multiple labels
176 that need to be set. Match entries whose labels matches at
177 least those specified as arguments. --label-add LABEL Specify
178 the conntrack label to add to to the selected conntracks. This
179 option is only available in conjunction with "-I, --create" or
180 "-U, --update". --label-del [LABEL] Specify the conntrack label
181 to delete from the selected conntracks. If no label is given,
182 all labels are deleted. This option is only available in con‐
183 junction with "-U, --update".
184
185 -c, --secmark SECMARK
186 Specify the conntrack selinux security mark.
187
188 -u, --status [ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|UNSET][,...]
189 Specify the conntrack status.
190
191 -n, --src-nat
192 Filter source NAT connections.
193
194 -g, --dst-nat
195 Filter destination NAT connections.
196
197 -j, --any-nat
198 Filter any NAT connections.
199
200 -w, --zone
201 Filter by conntrack zone. See iptables CT target for more infor‐
202 mation.
203
204 --orig-zone
205 Filter by conntrack zone in original direction. See iptables CT
206 target for more information.
207
208 --reply-zone
209 Filter by conntrack zone in reply direction. See iptables CT
210 target for more information.
211
212 --tuple-src IP_ADDRESS
213 Specify the tuple source address of an expectation. Implies
214 "--mask-src" when CIDR notation is used.
215
216 --tuple-dst IP_ADDRESS
217 Specify the tuple destination address of an expectation.
218 Implies "--mask-dst" when CIDR notation is used.
219
220 --mask-src IP_ADDRESS
221 Specify the source address mask. For conntrack this option is
222 only available in conjunction with "-L, --dump", "-E, --event",
223 "-U --update" or "-D --delete". For expectations this option is
224 only available in conjunction with "-I, --create".
225
226 --mask-dst IP_ADDRESS
227 Specify the destination address mask. Same limitations as for
228 "--mask-src".
229
230 PROTOCOL FILTER PARAMETERS
231 TCP-specific fields:
232
233 --sport, --orig-port-src PORT
234 Source port in original direction
235
236 --dport, --orig-port-dst PORT
237 Destination port in original direction
238
239 --reply-port-src PORT
240 Source port in reply direction
241
242 --reply-port-dst PORT
243 Destination port in reply direction
244
245 --state [NONE | SYN_SENT | SYN_RECV | ESTABLISHED | FIN_WAIT |
246 CLOSE_WAIT | LAST_ACK | TIME_WAIT | CLOSE | LISTEN]
247 TCP state
248
249 UDP-specific fields:
250
251 --sport, --orig-port-src PORT
252 Source port in original direction
253
254 --dport, --orig-port-dst PORT
255 Destination port in original direction
256
257 --reply-port-src PORT
258 Source port in reply direction
259
260 --reply-port-dst PORT
261 Destination port in reply direction
262
263 ICMP-specific fields:
264
265 --icmp-type TYPE
266 ICMP Type. Has to be specified numerically.
267
268 --icmp-code CODE
269 ICMP Code. Has to be specified numerically.
270
271 --icmp-id ID
272 ICMP Id. Has to be specified numerically (non-mandatory)
273
274 UDPlite-specific fields:
275
276 --sport, --orig-port-src PORT
277 Source port in original direction
278
279 --dport, --orig-port-dst PORT
280 Destination port in original direction
281
282 --reply-port-src PORT
283 Source port in reply direction
284
285 --reply-port-dst PORT
286 Destination port in reply direction
287
288 SCTP-specific fields:
289
290 --sport, --orig-port-src PORT
291 Source port in original direction
292
293 --dport, --orig-port-dst PORT
294 Destination port in original direction
295
296 --reply-port-src PORT
297 Source port in reply direction
298
299 --reply-port-dst PORT
300 Destination port in reply direction
301
302 --state [NONE | CLOSED | COOKIE_WAIT | COOKIE_ECHOED | ESTABLISHED |
303 SHUTDOWN_SENT | SHUTDOWN_RECD | SHUTDOWN_ACK_SENT]
304 SCTP state
305
306 --orig-vtag value
307 Verification tag (32-bits value) in the original direction
308
309 --reply-vtag value
310 Verification tag (32-bits value) in the reply direction
311
312 DCCP-specific fields (needs Linux >= 2.6.30):
313
314 --sport, --orig-port-src PORT
315 Source port in original direction
316
317 --dport, --orig-port-dst PORT
318 Destination port in original direction
319
320 --reply-port-src PORT
321 Source port in reply direction
322
323 --reply-port-dst PORT
324 Destination port in reply direction
325
326 --state [NONE | REQUEST | RESPOND | PARTOPEN | OPEN | CLOSEREQ | CLOS‐
327 ING | TIMEWAIT]
328 DCCP state --role [client | server] Role that the original con‐
329 ntrack tuple is tracking
330
331 GRE-specific fields:
332
333 --srckey, --orig-key-src KEY
334 Source key in original direction (in hexadecimal or decimal)
335
336 --dstkey, --orig-key-dst KEY
337 Destination key in original direction (in hexadecimal or deci‐
338 mal)
339
340 --reply-key-src KEY
341 Source key in reply direction (in hexadecimal or decimal)
342
343 --reply-key-dst KEY
344 Destination key in reply direction (in hexadecimal or decimal)
345
346
347 DIAGNOSTICS
348 The exit code is 0 for correct function. Errors which appear to
349 be caused by invalid command line parameters cause an exit code
350 of 2. Any other errors cause an exit code of 1.
351
353 conntrack -L
354 Show the connection tracking table in /proc/net/ip_conntrack
355 format
356
357 conntrack -L -o extended
358 Show the connection tracking table in /proc/net/nf_conntrack
359 format
360
361 conntrack -L -o xml
362 Show the connection tracking table in XML
363
364 conntrack -L -f ipv6 -o extended
365 Only dump IPv6 connections in /proc/net/nf_conntrack format
366
367 conntrack -L --src-nat
368 Show source NAT connections
369
370 conntrack -E -o timestamp
371 Show connection events together with the timestamp
372
373 conntrack -D -s 1.2.3.4
374 Delete all flow whose source address is 1.2.3.4
375
376 conntrack -U -s 1.2.3.4 -m 1
377 Set connmark to 1 of all the flows whose source address is
378 1.2.3.4
379
381 Please, report them to netfilter-devel@vger.kernel.org or file a bug in
382 Netfilter's bugzilla (https://bugzilla.netfilter.org).
383
385 iptables(8)
386 See http://conntrack-tools.netfilter.org
387
389 Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote
390 the kernel-level "ctnetlink" interface that is used by the conntrack
391 tool.
392
393 Pablo Neira Ayuso wrote and maintain the conntrack tool, Harald Welte
394 added support for conntrack based accounting counters.
395
396 Man page written by Harald Welte <laforge@netfilter.org> and Pablo
397 Neira Ayuso <pablo@netfilter.org>.
398
399
400
401 Aug 24, 2015 CONNTRACK(8)