1CONNTRACK(8) CONNTRACK(8)
2
3
4
6 conntrack - command line interface for netfilter connection tracking
7
9 conntrack -L [table] [options] [-z]
10 conntrack -G [table] parameters
11 conntrack -D [table] parameters
12 conntrack -I [table] parameters
13 conntrack -U [table] parameters
14 conntrack -E [table] [options]
15 conntrack -F [table]
16 conntrack -C [table]
17 conntrack -S
18
20 The conntrack utilty provides a full featured userspace interface to
21 the Netfilter connection tracking system that is intended to replace
22 the old /proc/net/ip_conntrack interface. This tool can be used to
23 search, list, inspect and maintain the connection tracking subsystem of
24 the Linux kernel.
25
26 Using conntrack, you can dump a list of all (or a filtered selection
27 of) currently tracked connections, delete connections from the state
28 table, and even add new ones.
29
30 In addition, you can also monitor connection tracking events, e.g. show
31 an event message (one line) per newly established connection.
32
33
35 The connection tracking subsystem maintains several internal tables:
36
37 conntrack:
38 This is the default table. It contains a list of all currently
39 tracked connections through the system. If you don't use con‐
40 nection tracking exemptions (NOTRACK iptables target), this
41 means all connections that go through the system.
42
43 expect:
44 This is the table of expectations. Connection tracking expecta‐
45 tions are the mechanism used to "expect" RELATED connections to
46 existing ones. Expectations are generally used by "connection
47 tracking helpers" (sometimes called application level gateways
48 [ALGs]) for more complex protocols such as FTP, SIP or H.323.
49
50 dying: This table shows the conntrack entries, that have expired and
51 that have been destroyed by the connection tracking system
52 itself, or via the conntrack utility.
53
54 unconfirmed:
55 This table shows new entries, that are not yet inserted into the
56 conntrack table. These entries are attached to packets that are
57 traversing the stack, but did not reach the confirmation point
58 at the postrouting hook.
59
60 The tables "dying" and "unconfirmed" are basically only useful
61 for debugging purposes. Under normal operation, it is hard to
62 see entries in any of them. There are corner cases, where it is
63 valid to see entries in the unconfirmed table, eg. when packets
64 that are enqueued via nfqueue, and the dying table, eg. when
65 conntrackd(8) runs in event reliable mode.
66
67
69 The options recognized by conntrack can be divided into several differ‐
70 ent groups.
71
72
73 COMMANDS
74 These options specify the particular operation to perform. Only one of
75 them can be specified at any given time.
76
77 -L --dump
78 List connection tracking or expectation table
79
80 -G, --get
81 Search for and show a particular (matching) entry in the given
82 table.
83
84 -D, --delete
85 Delete an entry from the given table.
86
87 -I, --create
88 Create a new entry from the given table.
89
90 -U, --update
91 Update an entry from the given table.
92
93 -E, --event
94 Display a real-time event log.
95
96 -F, --flush
97 Flush the whole given table
98
99 -C, --count
100 Show the table counter.
101
102 -S, --stats
103 Show the in-kernel connection tracking system statistics.
104
105
106 PARAMETERS
107 -z, --zero
108 Atomically zero counters after reading them. This option is
109 only valid in combination with the "-L, --dump" command options.
110
111 -o, --output [extended,xml,timestamp,id,ktimestamp,labels]
112 Display output in a certain format. With the extended output
113 option, this tool displays the layer 3 information. With ktimes‐
114 tamp, it displays the in-kernel timestamp available since 2.6.38
115 (you can enable it via the sysctl(8) key net.netfilter.nf_con‐
116 ntrack_timestamp). The labels output option tells conntrack to
117 show the names of connection tracking labels that might be
118 present.
119
120 -e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]
121 Set the bitmask of events that are to be generated by the in-
122 kernel ctnetlink event code. Using this parameter, you can
123 reduce the event messages generated by the kernel to those types
124 to those that you are actually interested in. This option can
125 only be used in conjunction with "-E, --event".
126
127 -b, --buffer-size value
128 Set the Netlink socket buffer size in bytes. This option is use‐
129 ful if the command line tool reports ENOBUFS errors. If you do
130 not pass this option, the default value available at sysctl(8)
131 key net.core.rmem_default is used. The tool reports this problem
132 if your process is too slow to handle all the event messages or,
133 in other words, if the amount of events are big enough to over‐
134 run the socket buffer. Note that using a big buffer reduces the
135 chances to hit ENOBUFS, however, this results in more memory
136 consumption. This option can only be used in conjunction with
137 "-E, --event".
138
139
140 FILTER PARAMETERS
141 -s, --src, --orig-src IP_ADDRESS
142 Match only entries whose source address in the original direc‐
143 tion equals the one specified as argument. Implies "--mask-src"
144 when CIDR notation is used.
145
146 -d, --dst, --orig-dst IP_ADDRESS
147 Match only entries whose destination address in the original
148 direction equals the one specified as argument. Implies "--mask-
149 dst" when CIDR notation is used.
150
151 -r, --reply-src IP_ADDRESS
152 Match only entries whose source address in the reply direction
153 equals the one specified as argument.
154
155 -q, --reply-dst IP_ADDRESS
156 Match only entries whose destination address in the reply direc‐
157 tion equals the one specified as argument.
158
159 -p, --proto PROTO
160 Specify layer four (TCP, UDP, ...) protocol.
161
162 -f, --family PROTO
163 Specify layer three (ipv4, ipv6) protocol This option is only
164 required in conjunction with "-L, --dump". If this option is not
165 passed, the default layer 3 protocol will be IPv4.
166
167 -t, --timeout TIMEOUT
168 Specify the timeout.
169
170 -m, --mark MARK[/MASK]
171 Specify the conntrack mark. Optionally, a mask value can be
172 specified. In "--update" mode, this mask specifies the bits
173 that should be zeroed before XORing the MARK value into the
174 ctmark. Otherwise, the mask is logically ANDed with the exist‐
175 ing mark before the comparision. In "--create" mode, the mask is
176 ignored.
177
178 -l, --label LABEL
179 Specify a conntrack label. This option is only available in
180 conjunction with "-L, --dump", "-E, --event", "-U --update" or
181 "-D --delete". Match entries whose labels match at least those
182 specified. Use multiple -l commands to specify multiple labels
183 that need to be set. Match entries whose labels matches at
184 least those specified as arguments.
185
186 --label-add LABEL
187 Specify the conntrack label to add to to the selected con‐
188 ntracks. This option is only available in conjunction with "-I,
189 --create" or "-U, --update".
190
191 --label-del [LABEL]
192 Specify the conntrack label to delete from the selected con‐
193 ntracks. If no label is given, all labels are deleted. This
194 option is only available in conjunction with "-U, --update".
195
196 -c, --secmark SECMARK
197 Specify the conntrack selinux security mark.
198
199 -u, --status [ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|UNSET][,...]
200 Specify the conntrack status.
201
202 -n, --src-nat
203 Filter source NAT connections.
204
205 -g, --dst-nat
206 Filter destination NAT connections.
207
208 -j, --any-nat
209 Filter any NAT connections.
210
211 -w, --zone
212 Filter by conntrack zone. See iptables CT target for more infor‐
213 mation.
214
215 --orig-zone
216 Filter by conntrack zone in original direction. See iptables CT
217 target for more information.
218
219 --reply-zone
220 Filter by conntrack zone in reply direction. See iptables CT
221 target for more information.
222
223 --tuple-src IP_ADDRESS
224 Specify the tuple source address of an expectation. Implies
225 "--mask-src" when CIDR notation is used.
226
227 --tuple-dst IP_ADDRESS
228 Specify the tuple destination address of an expectation.
229 Implies "--mask-dst" when CIDR notation is used.
230
231 --mask-src IP_ADDRESS
232 Specify the source address mask. For conntracks this option is
233 only available in conjunction with "-L, --dump", "-E, --event",
234 "-U --update" or "-D --delete". For expectations this option is
235 only available in conjunction with "-I, --create".
236
237 --mask-dst IP_ADDRESS
238 Specify the destination address mask. Same limitations as for
239 "--mask-src".
240
241
242 PROTOCOL FILTER PARAMETERS
243 TCP-specific fields:
244
245 --sport, --orig-port-src PORT
246 Source port in original direction
247
248 --dport, --orig-port-dst PORT
249 Destination port in original direction
250
251 --reply-port-src PORT
252 Source port in reply direction
253
254 --reply-port-dst PORT
255 Destination port in reply direction
256
257 --state state
258 TCP state, one of NONE, SYN_SENT, SYN_RECV, ESTABLISHED,
259 FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSE or LISTEN.
260
261
262 UDP-specific fields:
263
264 --sport, --orig-port-src PORT
265 Source port in original direction
266
267 --dport, --orig-port-dst PORT
268 Destination port in original direction
269
270 --reply-port-src PORT
271 Source port in reply direction
272
273 --reply-port-dst PORT
274 Destination port in reply direction
275
276
277 ICMP-specific fields:
278
279 --icmp-type TYPE
280 ICMP Type. Has to be specified numerically.
281
282 --icmp-code CODE
283 ICMP Code. Has to be specified numerically.
284
285 --icmp-id ID
286 ICMP Id. Has to be specified numerically (non-mandatory)
287
288
289 UDPlite-specific fields:
290
291 --sport, --orig-port-src PORT
292 Source port in original direction
293
294 --dport, --orig-port-dst PORT
295 Destination port in original direction
296
297 --reply-port-src PORT
298 Source port in reply direction
299
300 --reply-port-dst PORT
301 Destination port in reply direction
302
303
304 SCTP-specific fields:
305
306 --sport, --orig-port-src PORT
307 Source port in original direction
308
309 --dport, --orig-port-dst PORT
310 Destination port in original direction
311
312 --reply-port-src PORT
313 Source port in reply direction
314
315 --reply-port-dst PORT
316 Destination port in reply direction
317
318 --state state
319 SCTP state, one of NONE, CLOSED, COOKIE_WAIT, COOKIE_ECHOED,
320 ESTABLISHED, SHUTDOWN_SENT, SHUTDOWN_RECD, SHUTDOWN_ACK_SENT.
321
322 --orig-vtag value
323 Verification tag (32-bits value) in the original direction
324
325 --reply-vtag value
326 Verification tag (32-bits value) in the reply direction
327
328
329 DCCP-specific fields (needs Linux >= 2.6.30):
330
331 --sport, --orig-port-src PORT
332 Source port in original direction
333
334 --dport, --orig-port-dst PORT
335 Destination port in original direction
336
337 --reply-port-src PORT
338 Source port in reply direction
339
340 --reply-port-dst PORT
341 Destination port in reply direction
342
343 --state state
344 DCCP state, one of NONE, REQUEST, RESPOND, PARTOPEN, OPEN,
345 CLOSEREQ, CLOSING, TIMEWAIT.
346
347 --role [client|server]
348 Role that the original conntrack tuple is tracking
349
350
351 GRE-specific fields:
352
353 --srckey, --orig-key-src KEY
354 Source key in original direction (in hexadecimal or decimal)
355
356 --dstkey, --orig-key-dst KEY
357 Destination key in original direction (in hexadecimal or deci‐
358 mal)
359
360 --reply-key-src KEY
361 Source key in reply direction (in hexadecimal or decimal)
362
363 --reply-key-dst KEY
364 Destination key in reply direction (in hexadecimal or decimal)
365
366
368 The exit code is 0 for correct function. Errors which appear to be
369 caused by invalid command line parameters cause an exit code of 2. Any
370 other errors cause an exit code of 1.
371
372
374 conntrack -L
375 Show the connection tracking table in /proc/net/ip_conntrack
376 format
377
378 conntrack -L -o extended
379 Show the connection tracking table in /proc/net/nf_conntrack
380 format, with additional information.
381
382 conntrack -L -o xml
383 Show the connection tracking table in XML
384
385 conntrack -L -f ipv6 -o extended
386 Only dump IPv6 connections in /proc/net/nf_conntrack format,
387 with additional information.
388
389 conntrack -L --src-nat
390 Show source NAT connections
391
392 conntrack -E -o timestamp
393 Show connection events together with the timestamp
394
395 conntrack -D -s 1.2.3.4
396 Delete all flow whose source address is 1.2.3.4
397
398 conntrack -U -s 1.2.3.4 -m 1
399 Set connmark to 1 of all the flows whose source address is
400 1.2.3.4
401
402
404 Please, report them to netfilter-devel@vger.kernel.org or file a bug in
405 Netfilter's bugzilla (https://bugzilla.netfilter.org).
406
407
409 nftables(8),iptables(8),conntrackd(8)
410 See http://conntrack-tools.netfilter.org
411
412
414 Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote
415 the kernel-level "ctnetlink" interface that is used by the conntrack
416 tool.
417
418 Pablo Neira Ayuso wrote and maintain the conntrack tool, Harald Welte
419 added support for conntrack based accounting counters.
420
421 Man page written by Harald Welte <laforge@netfilter.org> and Pablo
422 Neira Ayuso <pablo@netfilter.org>.
423
424
425
426 Sep 26, 2017 CONNTRACK(8)