1CONNTRACK(8) CONNTRACK(8)
2
6 conntrack - command line interface for netfilter connection tracking
7
9 conntrack -L [table] [options] [-z]
10 conntrack -G [table] parameters
11 conntrack -D [table] parameters
12 conntrack -I [table] parameters
13 conntrack -U [table] parameters
14 conntrack -E [table] [options]
15 conntrack -F [table]
16 conntrack -C [table]
17 conntrack -S
18
20 The conntrack utilty provides a full featured userspace interface to
21 the Netfilter connection tracking system that is intended to replace
22 the old /proc/net/ip_conntrack interface. This tool can be used to
23 search, list, inspect and maintain the connection tracking subsystem of
24 the Linux kernel.
25 Using conntrack, you can dump a list of all (or a filtered selection
27 of) currently tracked connections, delete connections from the state
28 table, and even add new ones.
29 In addition, you can also monitor connection tracking events, e.g. show
31 an event message (one line) per newly established connection.
32
35 The connection tracking subsystem maintains several internal tables:
36 conntrack:
38 This is the default table. It contains a list of all currently
39 tracked connections through the system. If you don't use con‐
40 nection tracking exemptions (NOTRACK iptables target), this
41 means all connections that go through the system.
42 expect:
44 This is the table of expectations. Connection tracking expecta‐
45 tions are the mechanism used to "expect" RELATED connections to
46 existing ones. Expectations are generally used by "connection
47 tracking helpers" (sometimes called application level gateways
48 [ALGs]) for more complex protocols such as FTP, SIP or H.323.
49 dying: This table shows the conntrack entries, that have expired and
51 that have been destroyed by the connection tracking system
52 itself, or via the conntrack utility.
53 unconfirmed:
55 This table shows new entries, that are not yet inserted into the
56 conntrack table. These entries are attached to packets that are
57 traversing the stack, but did not reach the confirmation point
58 at the postrouting hook.
59 The tables "dying" and "unconfirmed" are basically only useful
61 for debugging purposes. Under normal operation, it is hard to
62 see entries in any of them. There are corner cases, where it is
63 valid to see entries in the unconfirmed table, eg. when packets
64 that are enqueued via nfqueue, and the dying table, eg. when
65 conntrackd(8) runs in event reliable mode.
66
69 The options recognized by conntrack can be divided into several differ‐
70 ent groups.
71 COMMANDS
74 These options specify the particular operation to perform. Only one of
75 them can be specified at any given time.
76 -L --dump
78 List connection tracking or expectation table
79 -G, --get
81 Search for and show a particular (matching) entry in the given
82 table.
83 -D, --delete
85 Delete an entry from the given table.
86 -I, --create
88 Create a new entry from the given table.
89 -U, --update
91 Update an entry from the given table.
92 -E, --event
94 Display a real-time event log.
95 -F, --flush
97 Flush the whole given table
98 -C, --count
100 Show the table counter.
101 -S, --stats
103 Show the in-kernel connection tracking system statistics.
104 PARAMETERS
107 -z, --zero
108 Atomically zero counters after reading them. This option is
109 only valid in combination with the "-L, --dump" command options.
110 -o, --output [extended,xml,timestamp,id,ktimestamp,labels]
112 Display output in a certain format. With the extended output
113 option, this tool displays the layer 3 information. With ktimes‐
114 tamp, it displays the in-kernel timestamp available since 2.6.38
115 (you can enable it via the sysctl(8) key net.netfilter.nf_con‐
116 ntrack_timestamp). The labels output option tells conntrack to
117 show the names of connection tracking labels that might be
118 present.
119 -e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]
121 Set the bitmask of events that are to be generated by the in-
122 kernel ctnetlink event code. Using this parameter, you can
123 reduce the event messages generated by the kernel to those types
124 to those that you are actually interested in. This option can
125 only be used in conjunction with "-E, --event".
126 -b, --buffer-size value
128 Set the Netlink socket buffer size in bytes. This option is use‐
129 ful if the command line tool reports ENOBUFS errors. If you do
130 not pass this option, the default value available at sysctl(8)
131 key net.core.rmem_default is used. The tool reports this problem
132 if your process is too slow to handle all the event messages or,
133 in other words, if the amount of events are big enough to over‐
134 run the socket buffer. Note that using a big buffer reduces the
135 chances to hit ENOBUFS, however, this results in more memory
136 consumption. This option can only be used in conjunction with
137 "-E, --event".
138 FILTER PARAMETERS
141 -s, --src, --orig-src IP_ADDRESS
142 Match only entries whose source address in the original direc‐
143 tion equals the one specified as argument. Implies "--mask-src"
144 when CIDR notation is used.
145 -d, --dst, --orig-dst IP_ADDRESS
147 Match only entries whose destination address in the original
148 direction equals the one specified as argument. Implies "--mask-
149 dst" when CIDR notation is used.
150 -r, --reply-src IP_ADDRESS
152 Match only entries whose source address in the reply direction
153 equals the one specified as argument.
154 -q, --reply-dst IP_ADDRESS
156 Match only entries whose destination address in the reply direc‐
157 tion equals the one specified as argument.
158 -p, --proto PROTO
160 Specify layer four (TCP, UDP, ...) protocol.
161 -f, --family PROTO
163 Specify layer three (ipv4, ipv6) protocol This option is only
164 required in conjunction with "-L, --dump". If this option is not
165 passed, the default layer 3 protocol will be IPv4.
166 -t, --timeout TIMEOUT
168 Specify the timeout.
169 -m, --mark MARK[/MASK]
171 Specify the conntrack mark. Optionally, a mask value can be
172 specified. In "--update" mode, this mask specifies the bits
173 that should be zeroed before XORing the MARK value into the
174 ctmark. Otherwise, the mask is logically ANDed with the exist‐
175 ing mark before the comparision. In "--create" mode, the mask is
176 ignored.
177 -l, --label LABEL
179 Specify a conntrack label. This option is only available in
180 conjunction with "-L, --dump", "-E, --event", "-U --update" or
181 "-D --delete". Match entries whose labels match at least those
182 specified. Use multiple -l commands to specify multiple labels
183 that need to be set. Match entries whose labels matches at
184 least those specified as arguments.
185 --label-add LABEL
187 Specify the conntrack label to add to to the selected con‐
188 ntracks. This option is only available in conjunction with "-I,
189 --create" or "-U, --update".
190 --label-del [LABEL]
192 Specify the conntrack label to delete from the selected con‐
193 ntracks. If no label is given, all labels are deleted. This
194 option is only available in conjunction with "-U, --update".
195 -c, --secmark SECMARK
197 Specify the conntrack selinux security mark.
198 -u, --status [ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|UNSET][,...]
200 Specify the conntrack status.
201 -n, --src-nat
203 Filter source NAT connections.
204 -g, --dst-nat
206 Filter destination NAT connections.
207 -j, --any-nat
209 Filter any NAT connections.
210 -w, --zone
212 Filter by conntrack zone. See iptables CT target for more infor‐
213 mation.
214 --orig-zone
216 Filter by conntrack zone in original direction. See iptables CT
217 target for more information.
218 --reply-zone
220 Filter by conntrack zone in reply direction. See iptables CT
221 target for more information.
222 --tuple-src IP_ADDRESS
224 Specify the tuple source address of an expectation. Implies
225 "--mask-src" when CIDR notation is used.
226 --tuple-dst IP_ADDRESS
228 Specify the tuple destination address of an expectation.
229 Implies "--mask-dst" when CIDR notation is used.
230 --mask-src IP_ADDRESS
232 Specify the source address mask. For conntracks this option is
233 only available in conjunction with "-L, --dump", "-E, --event",
234 "-U --update" or "-D --delete". For expectations this option is
235 only available in conjunction with "-I, --create".
236 --mask-dst IP_ADDRESS
238 Specify the destination address mask. Same limitations as for
239 "--mask-src".
240 PROTOCOL FILTER PARAMETERS
243 TCP-specific fields:
244 --sport, --orig-port-src PORT
246 Source port in original direction
247 --dport, --orig-port-dst PORT
249 Destination port in original direction
250 --reply-port-src PORT
252 Source port in reply direction
253 --reply-port-dst PORT
255 Destination port in reply direction
256 --state state
258 TCP state, one of NONE, SYN_SENT, SYN_RECV, ESTABLISHED,
259 FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSE or LISTEN.
260 UDP-specific fields:
263 --sport, --orig-port-src PORT
265 Source port in original direction
266 --dport, --orig-port-dst PORT
268 Destination port in original direction
269 --reply-port-src PORT
271 Source port in reply direction
272 --reply-port-dst PORT
274 Destination port in reply direction
275 ICMP-specific fields:
278 --icmp-type TYPE
280 ICMP Type. Has to be specified numerically.
281 --icmp-code CODE
283 ICMP Code. Has to be specified numerically.
284 --icmp-id ID
286 ICMP Id. Has to be specified numerically (non-mandatory)
287 UDPlite-specific fields:
290 --sport, --orig-port-src PORT
292 Source port in original direction
293 --dport, --orig-port-dst PORT
295 Destination port in original direction
296 --reply-port-src PORT
298 Source port in reply direction
299 --reply-port-dst PORT
301 Destination port in reply direction
302 SCTP-specific fields:
305 --sport, --orig-port-src PORT
307 Source port in original direction
308 --dport, --orig-port-dst PORT
310 Destination port in original direction
311 --reply-port-src PORT
313 Source port in reply direction
314 --reply-port-dst PORT
316 Destination port in reply direction
317 --state state
319 SCTP state, one of NONE, CLOSED, COOKIE_WAIT, COOKIE_ECHOED,
320 ESTABLISHED, SHUTDOWN_SENT, SHUTDOWN_RECD, SHUTDOWN_ACK_SENT.
321 --orig-vtag value
323 Verification tag (32-bits value) in the original direction
324 --reply-vtag value
326 Verification tag (32-bits value) in the reply direction
327 DCCP-specific fields (needs Linux >= 2.6.30):
330 --sport, --orig-port-src PORT
332 Source port in original direction
333 --dport, --orig-port-dst PORT
335 Destination port in original direction
336 --reply-port-src PORT
338 Source port in reply direction
339 --reply-port-dst PORT
341 Destination port in reply direction
342 --state state
344 DCCP state, one of NONE, REQUEST, RESPOND, PARTOPEN, OPEN,
345 CLOSEREQ, CLOSING, TIMEWAIT.
346 --role [client|server]
348 Role that the original conntrack tuple is tracking
349 GRE-specific fields:
352 --srckey, --orig-key-src KEY
354 Source key in original direction (in hexadecimal or decimal)
355 --dstkey, --orig-key-dst KEY
357 Destination key in original direction (in hexadecimal or deci‐
358 mal)
359 --reply-key-src KEY
361 Source key in reply direction (in hexadecimal or decimal)
362 --reply-key-dst KEY
364 Destination key in reply direction (in hexadecimal or decimal)
365
368 The exit code is 0 for correct function. Errors which appear to be
369 caused by invalid command line parameters cause an exit code of 2. Any
370 other errors cause an exit code of 1.
371
374 conntrack -L
375 Show the connection tracking table in /proc/net/ip_conntrack
376 format
377 conntrack -L -o extended
379 Show the connection tracking table in /proc/net/nf_conntrack
380 format, with additional information.
381 conntrack -L -o xml
383 Show the connection tracking table in XML
384 conntrack -L -f ipv6 -o extended
386 Only dump IPv6 connections in /proc/net/nf_conntrack format,
387 with additional information.
388 conntrack -L --src-nat
390 Show source NAT connections
391 conntrack -E -o timestamp
393 Show connection events together with the timestamp
394 conntrack -D -s 1.2.3.4
396 Delete all flow whose source address is 1.2.3.4
397 conntrack -U -s 1.2.3.4 -m 1
399 Set connmark to 1 of all the flows whose source address is
400 1.2.3.4
401
404 Please, report them to netfilter-devel@vger.kernel.org or file a bug in
405 Netfilter's bugzilla (https://bugzilla.netfilter.org).
406
409 nftables(8),iptables(8),conntrackd(8)
410 See http://conntrack-tools.netfilter.org
411
414 Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote
415 the kernel-level "ctnetlink" interface that is used by the conntrack
416 tool.
417 Pablo Neira Ayuso wrote and maintain the conntrack tool, Harald Welte
419 added support for conntrack based accounting counters.
420 Man page written by Harald Welte <laforge@netfilter.org> and Pablo
422 Neira Ayuso <pablo@netfilter.org>.
423 Sep 26, 2017 CONNTRACK(8)