1CONNTRACK(8)                                                      CONNTRACK(8)
2
3
4

NAME

6       conntrack - command line interface for netfilter connection tracking
7

SYNOPSIS

9       conntrack -L [table] [options] [-z]
10       conntrack -G [table] parameters
11       conntrack -D [table] parameters
12       conntrack -I [table] parameters
13       conntrack -U [table] parameters
14       conntrack -E [table] [options]
15       conntrack -F [table]
16       conntrack -C [table]
17       conntrack -S
18

DESCRIPTION

20       The  conntrack  utilty  provides a full featured userspace interface to
21       the Netfilter connection tracking system that is  intended  to  replace
22       the  old  /proc/net/ip_conntrack  interface.  This  tool can be used to
23       search, list, inspect and maintain the connection tracking subsystem of
24       the Linux kernel.
25
26       Using  conntrack,  you  can dump a list of all (or a filtered selection
27       of) currently tracked connections, delete connections  from  the  state
28       table, and even add new ones.
29
30       In addition, you can also monitor connection tracking events, e.g. show
31       an event message (one line) per newly established connection.
32
33

TABLES

35       The connection tracking subsystem maintains several internal tables:
36
37       conntrack:
38              This is the default table.  It contains a list of all  currently
39              tracked  connections  through the system.  If you don't use con‐
40              nection tracking  exemptions  (NOTRACK  iptables  target),  this
41              means all connections that go through the system.
42
43       expect:
44              This is the table of expectations.  Connection tracking expecta‐
45              tions are the mechanism used to "expect" RELATED connections  to
46              existing  ones.   Expectations are generally used by "connection
47              tracking helpers" (sometimes called application  level  gateways
48              [ALGs]) for more complex protocols such as FTP, SIP or H.323.
49
50       dying: This  table  shows  the conntrack entries, that have expired and
51              that have been  destroyed  by  the  connection  tracking  system
52              itself, or via the conntrack utility.
53
54       unconfirmed:
55              This table shows new entries, that are not yet inserted into the
56              conntrack table. These entries are attached to packets that  are
57              traversing  the  stack, but did not reach the confirmation point
58              at the postrouting hook.
59
60              The tables "dying" and "unconfirmed" are basically  only  useful
61              for  debugging  purposes.  Under normal operation, it is hard to
62              see entries in any of them.  There are corner cases, where it is
63              valid  to see entries in the unconfirmed table, eg. when packets
64              that are enqueued via nfqueue, and the  dying  table,  eg.  when
65              conntrackd(8) runs in event reliable mode.
66
67

OPTIONS

69       The options recognized by conntrack can be divided into several differ‐
70       ent groups.
71
72
73   COMMANDS
74       These options specify the particular operation to perform.  Only one of
75       them can be specified at any given time.
76
77       -L --dump
78              List connection tracking or expectation table
79
80       -G, --get
81              Search  for  and show a particular (matching) entry in the given
82              table.
83
84       -D, --delete
85              Delete an entry from the given table.
86
87       -I, --create
88              Create a new entry from the given table.
89
90       -U, --update
91              Update an entry from the given table.
92
93       -E, --event
94              Display a real-time event log.
95
96       -F, --flush
97              Flush the whole given table
98
99       -C, --count
100              Show the table counter.
101
102       -S, --stats
103              Show the in-kernel connection tracking system statistics.
104
105
106   PARAMETERS
107       -z, --zero
108              Atomically zero counters after reading  them.   This  option  is
109              only valid in combination with the "-L, --dump" command options.
110
111       -o, --output [extended,xml,timestamp,id,ktimestamp,labels]
112              Display  output  in  a  certain format. With the extended output
113              option, this tool displays the layer 3 information. With ktimes‐
114              tamp, it displays the in-kernel timestamp available since 2.6.38
115              (you can enable it via the sysctl(8)  key  net.netfilter.nf_con‐
116              ntrack_timestamp).   The labels output option tells conntrack to
117              show the names of  connection  tracking  labels  that  might  be
118              present.
119
120       -e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]
121              Set  the  bitmask  of events that are to be generated by the in-
122              kernel ctnetlink event code.   Using  this  parameter,  you  can
123              reduce the event messages generated by the kernel to those types
124              to those that you are actually interested in.  This  option  can
125              only be used in conjunction with "-E, --event".
126
127       -b, --buffer-size value
128              Set the Netlink socket buffer size in bytes. This option is use‐
129              ful if the command line tool reports ENOBUFS errors. If  you  do
130              not  pass  this option, the default value available at sysctl(8)
131              key net.core.rmem_default is used. The tool reports this problem
132              if your process is too slow to handle all the event messages or,
133              in other words, if the amount of events are big enough to  over‐
134              run  the socket buffer. Note that using a big buffer reduces the
135              chances to hit ENOBUFS, however, this  results  in  more  memory
136              consumption.   This  option can only be used in conjunction with
137              "-E, --event".
138
139
140   FILTER PARAMETERS
141       -s, --src, --orig-src IP_ADDRESS
142              Match only entries whose source address in the  original  direc‐
143              tion  equals the one specified as argument. Implies "--mask-src"
144              when CIDR notation is used.
145
146       -d, --dst, --orig-dst IP_ADDRESS
147              Match only entries whose destination  address  in  the  original
148              direction equals the one specified as argument. Implies "--mask-
149              dst" when CIDR notation is used.
150
151       -r, --reply-src IP_ADDRESS
152              Match only entries whose source address in the  reply  direction
153              equals the one specified as argument.
154
155       -q, --reply-dst IP_ADDRESS
156              Match only entries whose destination address in the reply direc‐
157              tion equals the one specified as argument.
158
159       -p, --proto PROTO
160              Specify layer four (TCP, UDP, ...) protocol.
161
162       -f, --family PROTO
163              Specify layer three (ipv4, ipv6) protocol This  option  is  only
164              required in conjunction with "-L, --dump". If this option is not
165              passed, the default layer 3 protocol will be IPv4.
166
167       -t, --timeout TIMEOUT
168              Specify the timeout.
169
170       -m, --mark MARK[/MASK]
171              Specify the conntrack mark.  Optionally, a  mask  value  can  be
172              specified.   In  "--update"  mode,  this mask specifies the bits
173              that should be zeroed before XORing  the  MARK  value  into  the
174              ctmark.   Otherwise, the mask is logically ANDed with the exist‐
175              ing mark before the comparision. In "--create" mode, the mask is
176              ignored.
177
178       -l, --label LABEL
179              Specify  a  conntrack  label.   This option is only available in
180              conjunction with "-L, --dump", "-E, --event", "-U  --update"  or
181              "-D  --delete".  Match entries whose labels match at least those
182              specified.  Use multiple -l commands to specify multiple  labels
183              that  need  to  be  set.   Match entries whose labels matches at
184              least those specified as arguments.
185
186       --label-add LABEL
187              Specify the conntrack label to  add  to  to  the  selected  con‐
188              ntracks.  This option is only available in conjunction with "-I,
189              --create" or "-U, --update".
190
191       --label-del [LABEL]
192              Specify the conntrack label to delete  from  the  selected  con‐
193              ntracks.   If  no  label is given, all labels are deleted.  This
194              option is only available in conjunction with "-U, --update".
195
196       -c, --secmark SECMARK
197              Specify the conntrack selinux security mark.
198
199       -u, --status [ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|UNSET][,...]
200              Specify the conntrack status.
201
202       -n, --src-nat
203              Filter source NAT connections.
204
205       -g, --dst-nat
206              Filter destination NAT connections.
207
208       -j, --any-nat
209              Filter any NAT connections.
210
211       -w, --zone
212              Filter by conntrack zone. See iptables CT target for more infor‐
213              mation.
214
215       --orig-zone
216              Filter by conntrack zone in original direction.  See iptables CT
217              target for more information.
218
219       --reply-zone
220              Filter by conntrack zone in reply direction.   See  iptables  CT
221              target for more information.
222
223       --tuple-src IP_ADDRESS
224              Specify  the  tuple  source  address of an expectation.  Implies
225              "--mask-src" when CIDR notation is used.
226
227       --tuple-dst IP_ADDRESS
228              Specify  the  tuple  destination  address  of  an   expectation.
229              Implies "--mask-dst" when CIDR notation is used.
230
231       --mask-src IP_ADDRESS
232              Specify  the source address mask.  For conntracks this option is
233              only available in conjunction with "-L, --dump", "-E,  --event",
234              "-U --update" or "-D --delete".  For expectations this option is
235              only available in conjunction with "-I, --create".
236
237       --mask-dst IP_ADDRESS
238              Specify the destination address mask.  Same limitations  as  for
239              "--mask-src".
240
241
242   PROTOCOL FILTER PARAMETERS
243       TCP-specific fields:
244
245       --sport, --orig-port-src PORT
246              Source port in original direction
247
248       --dport, --orig-port-dst PORT
249              Destination port in original direction
250
251       --reply-port-src PORT
252              Source port in reply direction
253
254       --reply-port-dst PORT
255              Destination port in reply direction
256
257       --state state
258              TCP   state,  one  of  NONE,  SYN_SENT,  SYN_RECV,  ESTABLISHED,
259              FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSE or LISTEN.
260
261
262       UDP-specific fields:
263
264       --sport, --orig-port-src PORT
265              Source port in original direction
266
267       --dport, --orig-port-dst PORT
268              Destination port in original direction
269
270       --reply-port-src PORT
271              Source port in reply direction
272
273       --reply-port-dst PORT
274              Destination port in reply direction
275
276
277       ICMP-specific fields:
278
279       --icmp-type TYPE
280              ICMP Type. Has to be specified numerically.
281
282       --icmp-code CODE
283              ICMP Code. Has to be specified numerically.
284
285       --icmp-id ID
286              ICMP Id. Has to be specified numerically (non-mandatory)
287
288
289       UDPlite-specific fields:
290
291       --sport, --orig-port-src PORT
292              Source port in original direction
293
294       --dport, --orig-port-dst PORT
295              Destination port in original direction
296
297       --reply-port-src PORT
298              Source port in reply direction
299
300       --reply-port-dst PORT
301              Destination port in reply direction
302
303
304       SCTP-specific fields:
305
306       --sport, --orig-port-src PORT
307              Source port in original direction
308
309       --dport, --orig-port-dst PORT
310              Destination port in original direction
311
312       --reply-port-src PORT
313              Source port in reply direction
314
315       --reply-port-dst PORT
316              Destination port in reply direction
317
318       --state state
319              SCTP state, one of  NONE,  CLOSED,  COOKIE_WAIT,  COOKIE_ECHOED,
320              ESTABLISHED, SHUTDOWN_SENT, SHUTDOWN_RECD, SHUTDOWN_ACK_SENT.
321
322       --orig-vtag value
323              Verification tag (32-bits value) in the original direction
324
325       --reply-vtag value
326              Verification tag (32-bits value) in the reply direction
327
328
329       DCCP-specific fields (needs Linux >= 2.6.30):
330
331       --sport, --orig-port-src PORT
332              Source port in original direction
333
334       --dport, --orig-port-dst PORT
335              Destination port in original direction
336
337       --reply-port-src PORT
338              Source port in reply direction
339
340       --reply-port-dst PORT
341              Destination port in reply direction
342
343       --state state
344              DCCP  state,  one  of  NONE,  REQUEST,  RESPOND, PARTOPEN, OPEN,
345              CLOSEREQ, CLOSING, TIMEWAIT.
346
347       --role [client|server]
348              Role that the original conntrack tuple is tracking
349
350
351       GRE-specific fields:
352
353       --srckey, --orig-key-src KEY
354              Source key in original direction (in hexadecimal or decimal)
355
356       --dstkey, --orig-key-dst KEY
357              Destination key in original direction (in hexadecimal  or  deci‐
358              mal)
359
360       --reply-key-src KEY
361              Source key in reply direction (in hexadecimal or decimal)
362
363       --reply-key-dst KEY
364              Destination key in reply direction (in hexadecimal or decimal)
365
366

DIAGNOSTICS

368       The  exit  code  is  0 for correct function.  Errors which appear to be
369       caused by invalid command line parameters cause an exit code of 2.  Any
370       other errors cause an exit code of 1.
371
372

EXAMPLES

374       conntrack -L
375              Show  the  connection  tracking  table in /proc/net/ip_conntrack
376              format
377
378       conntrack -L -o extended
379              Show the connection  tracking  table  in  /proc/net/nf_conntrack
380              format, with additional information.
381
382       conntrack -L -o xml
383              Show the connection tracking table in XML
384
385       conntrack -L -f ipv6 -o extended
386              Only  dump  IPv6  connections  in /proc/net/nf_conntrack format,
387              with additional information.
388
389       conntrack -L --src-nat
390              Show source NAT connections
391
392       conntrack -E -o timestamp
393              Show connection events together with the timestamp
394
395       conntrack -D -s 1.2.3.4
396              Delete all flow whose source address is 1.2.3.4
397
398       conntrack -U -s 1.2.3.4 -m 1
399              Set connmark to 1 of all  the  flows  whose  source  address  is
400              1.2.3.4
401
402

BUGS

404       Please, report them to netfilter-devel@vger.kernel.org or file a bug in
405       Netfilter's bugzilla (https://bugzilla.netfilter.org).
406
407

SEE ALSO

409       nftables(8),iptables(8),conntrackd(8)
410       See http://conntrack-tools.netfilter.org
411
412

AUTHORS

414       Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote
415       the  kernel-level  "ctnetlink"  interface that is used by the conntrack
416       tool.
417
418       Pablo Neira Ayuso wrote and maintain the conntrack tool,  Harald  Welte
419       added support for conntrack based accounting counters.
420
421       Man  page  written  by  Harald  Welte <laforge@netfilter.org> and Pablo
422       Neira Ayuso <pablo@netfilter.org>.
423
424
425
426                                 Sep 26, 2017                     CONNTRACK(8)
Impressum