1ct action in tc(8)                   Linux                  ct action in tc(8)
2
3
4

NAME

6       ct - tc connection tracking action
7

SYNOPSIS

9       tc  ... action ct commit [ force ] [ zone ZONE ] [ mark MASKED_MARK ] [
10               label MASKED_LABEL ] [ nat NAT_SPEC ]
11
12       tc ... action ct [ nat ] [ zone ZONE ]
13
14       tc ... action ct clear
15
16

DESCRIPTION

18       The ct action is a tc action for sending packets and  interacting  with
19       the netfilter conntrack module.
20
21       It can (as shown in the synopsis, in order):
22
23       Send  the packet to conntrack, and commit the connection, while config‐
24       uring a 32bit mark, 128bit label, and src/dst nat.
25
26       Send the packet to conntrack, which will mark the packet with the  con‐
27       nection's  state and configured metadata (mark/label), and execute pre‐
28       vious configured nat.
29
30       Clear the packet's of previous connection tracking state.
31
32

OPTIONS

34       zone ZONE
35              Specify a conntrack zone number on which to send the  packet  to
36              conntrack.
37
38       mark MASKED_MARK
39              Specify  a  masked  32bit  mark  to set for the connection (only
40              valid with commit).
41
42       label MASKED_LABEL
43              Specify a masked 128bit label to set for  the  connection  (only
44              valid with commit).
45
46       nat NAT_SPEC
47              Where   NAT_SPEC   :=   {src|dst}   addr   addr1[-addr2]   [port
48              port1[-port2]]
49
50              Specify src/dst and range of nat to configure for the connection
51              (only valid with commit).
52
53              src/dst - configure src or dst nat
54
55              addr1/addr2 - IPv4/IPv6 addresses
56
57              port1/port2 - Port numbers
58
59       nat    Restore any previous configured nat.
60
61       clear  Remove  any  conntrack  state and metadata (mark/label) from the
62              packet (must only option specified).
63
64       force  Forces conntrack direction for a  previously  committed  connec‐
65              tions, so that current direction will become the original direc‐
66              tion (only valid with commit).
67
68

EXAMPLES

70       Example showing natted firewall in conntrack zone 2, and conntrack mark
71       usage:
72
73       #Add ingress qdisc on eth0 and eth1 interfaces
74       $ tc qdisc add dev eth0 handle ingress
75       $ tc qdisc add dev eth1 handle ingress
76
77       #Setup filters on eth0, allowing opening new connections in zone 2, and doing src nat + mark for each new connection
78       $ tc filter add dev eth0 ingress prio 1 chain 0 proto ip flower ip_proto tcp ct_state -trk \
79       action ct zone 2 pipe action goto chain 2
80       $ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ct_state +trk+new \
81       action ct zone 2 commit mark 0xbb nat src addr 5.5.5.7 pipe action mirred egress redirect dev eth1
82       $ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ct_zone 2 ct_mark 0xbb ct_state +trk+est \
83       action ct nat pipe action mirred egress redirect dev eth1
84
85       #Setup filters on eth1, allowing only established connections of zone 2 through, and reverse nat (dst nat in this case)
86       $ tc filter add dev eth1 ingress prio 1 chain 0 proto ip flower ip_proto tcp ct_state -trk \
87       action ct zone 2 pipe action goto chain 1
88       $ tc filter add dev eth1 ingress prio 1 chain 1 proto ip flower ct_zone 2 ct_mark 0xbb ct_state +trk+est \
89       action ct nat pipe action mirred egress redirect dev eth0
90
91
92

SEE ALSO

94       tc(8), tc-flower(8) tc-mirred(8)
95

AUTHORS

97       Paul Blakey <paulb@mellanox.com>
98
99       Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
100
101       Yossi Kuperman <yossiku@mellanox.com>
102
103
104
105iproute2                          14 May 2020               ct action in tc(8)