1CONNTRACK(8)                                                      CONNTRACK(8)
2
3
4

NAME

6       conntrack - command line interface for netfilter connection tracking
7

SYNOPSIS

9       conntrack -L [table] [options] [-z]
10       conntrack -G [table] parameters
11       conntrack -D [table] parameters
12       conntrack -I [table] parameters
13       conntrack -U [table] parameters
14       conntrack -E [table] [options]
15       conntrack -F [table]
16       conntrack -C [table]
17       conntrack -S
18

DESCRIPTION

20       The  conntrack  utilty  provides a full featured userspace interface to
21       the Netfilter connection tracking system that is  intended  to  replace
22       the  old  /proc/net/ip_conntrack  interface.  This  tool can be used to
23       search, list, inspect and maintain the connection tracking subsystem of
24       the Linux kernel.
25
26       Using  conntrack,  you  can dump a list of all (or a filtered selection
27       of) currently tracked connections, delete connections  from  the  state
28       table, and even add new ones.
29
30       In addition, you can also monitor connection tracking events, e.g. show
31       an event message (one line) per newly established connection.
32
33

TABLES

35       The connection tracking subsystem maintains several internal tables:
36
37       conntrack:
38              This is the default table.  It contains a list of all  currently
39              tracked  connections  through the system.  If you don't use con‐
40              nection tracking  exemptions  (NOTRACK  iptables  target),  this
41              means all connections that go through the system.
42
43       expect:
44              This is the table of expectations.  Connection tracking expecta‐
45              tions are the mechanism used to "expect" RELATED connections  to
46              existing  ones.   Expectations are generally used by "connection
47              tracking helpers" (sometimes called application  level  gateways
48              [ALGs]) for more complex protocols such as FTP, SIP or H.323.
49
50       dying: This  table  shows  the conntrack entries, that have expired and
51              that have been destroyed by the connection tracking  system  it‐
52              self, or via the conntrack utility.
53
54       unconfirmed:
55              This table shows new entries, that are not yet inserted into the
56              conntrack table. These entries are attached to packets that  are
57              traversing  the  stack, but did not reach the confirmation point
58              at the postrouting hook.
59
60              The tables "dying" and "unconfirmed" are basically  only  useful
61              for  debugging  purposes.  Under normal operation, it is hard to
62              see entries in any of them.  There are corner cases, where it is
63              valid  to see entries in the unconfirmed table, eg. when packets
64              that are enqueued via nfqueue, and the  dying  table,  eg.  when
65              conntrackd(8) runs in event reliable mode.
66
67

OPTIONS

69       The options recognized by conntrack can be divided into several differ‐
70       ent groups.
71
72
73   COMMANDS
74       These options specify the particular operation to perform.  Only one of
75       them can be specified at any given time.
76
77       -L --dump
78              List connection tracking or expectation table
79
80       -G, --get
81              Search  for  and show a particular (matching) entry in the given
82              table.
83
84       -D, --delete
85              Delete an entry from the given table.
86
87       -I, --create
88              Create a new entry from the given table.
89
90       -U, --update
91              Update an entry from the given table.
92
93       -E, --event
94              Display a real-time event log.
95
96       -F, --flush
97              Flush the whole given table
98
99       -C, --count
100              Show the table counter.
101
102       -S, --stats
103              Show the in-kernel connection tracking system statistics.
104
105
106   PARAMETERS
107       -z, --zero
108              Atomically zero counters after reading  them.   This  option  is
109              only valid in combination with the "-L, --dump" command options.
110
111       -o, --output [extended,xml,timestamp,id,ktimestamp,labels,userspace]
112              Display output in a certain format. With the extended output op‐
113              tion, this tool displays the layer 3 information.  With  ktimes‐
114              tamp, it displays the in-kernel timestamp available since 2.6.38
115              (you can enable it via the sysctl(8)  key  net.netfilter.nf_con‐
116              ntrack_timestamp).   The labels output option tells conntrack to
117              show the names of  connection  tracking  labels  that  might  be
118              present.   The  userspace  output options tells if the event has
119              been triggered by a process.
120
121       -e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]
122              Set the bitmask of events that are to be generated  by  the  in-
123              kernel  ctnetlink event code.  Using this parameter, you can re‐
124              duce the event messages generated by the kernel to  those  types
125              to  those  that you are actually interested in.  This option can
126              only be used in conjunction with "-E, --event".
127
128       -b, --buffer-size value
129              Set the Netlink socket buffer size in bytes. This option is use‐
130              ful  if  the command line tool reports ENOBUFS errors. If you do
131              not pass this option, the default value available  at  sysctl(8)
132              key net.core.rmem_default is used. The tool reports this problem
133              if your process is too slow to handle all the event messages or,
134              in  other words, if the amount of events are big enough to over‐
135              run the socket buffer. Note that using a big buffer reduces  the
136              chances  to  hit  ENOBUFS,  however, this results in more memory
137              consumption.  This option can only be used in  conjunction  with
138              "-E, --event".
139
140
141   FILTER PARAMETERS
142       -s, --src, --orig-src IP_ADDRESS
143              Match  only  entries whose source address in the original direc‐
144              tion equals the one specified as argument. Implies  "--mask-src"
145              when CIDR notation is used.
146
147       -d, --dst, --orig-dst IP_ADDRESS
148              Match only entries whose destination address in the original di‐
149              rection equals the one specified as argument.  Implies  "--mask-
150              dst" when CIDR notation is used.
151
152       -r, --reply-src IP_ADDRESS
153              Match  only  entries whose source address in the reply direction
154              equals the one specified as argument.
155
156       -q, --reply-dst IP_ADDRESS
157              Match only entries whose destination address in the reply direc‐
158              tion equals the one specified as argument.
159
160       -p, --proto PROTO
161              Specify layer four (TCP, UDP, ...) protocol.
162
163       -f, --family PROTO
164              Specify  layer  three  (ipv4, ipv6) protocol This option is only
165              required in conjunction with "-L, --dump". If this option is not
166              passed, the default layer 3 protocol will be IPv4.
167
168       -t, --timeout TIMEOUT
169              Specify the timeout.
170
171       -m, --mark MARK[/MASK]
172              Specify  the  conntrack  mark.   Optionally, a mask value can be
173              specified.  In "--update" mode, this  mask  specifies  the  bits
174              that  should be zeroed before XORing the MARK value into the ct‐
175              mark.  Otherwise, the mask is logically ANDed with the  existing
176              mark before the comparision. In "--create" mode, the mask is ig‐
177              nored.
178
179       -l, --label LABEL
180              Specify a conntrack label.  This option  is  only  available  in
181              conjunction  with  "-L, --dump", "-E, --event", "-U --update" or
182              "-D --delete".  Match entries whose labels match at least  those
183              specified.   Use multiple -l commands to specify multiple labels
184              that need to be set.  Match  entries  whose  labels  matches  at
185              least those specified as arguments.
186
187       --label-add LABEL
188              Specify  the  conntrack  label  to  add  to to the selected con‐
189              ntracks.  This option is only available in conjunction with "-I,
190              --create" or "-U, --update".
191
192       --label-del [LABEL]
193              Specify  the  conntrack  label  to delete from the selected con‐
194              ntracks.  If no label is given, all labels  are  deleted.   This
195              option is only available in conjunction with "-U, --update".
196
197       -c, --secmark SECMARK
198              Specify the conntrack selinux security mark.
199
200       -u,   --status   [ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|OFFLOAD|UN‐
201       SET][,...]
202              Specify the conntrack status.
203
204       -n, --src-nat
205              Filter source NAT connections.
206
207       -g, --dst-nat
208              Filter destination NAT connections.
209
210       -j, --any-nat
211              Filter any NAT connections.
212
213       -w, --zone
214              Filter by conntrack zone. See iptables CT target for more infor‐
215              mation.
216
217       --orig-zone
218              Filter by conntrack zone in original direction.  See iptables CT
219              target for more information.
220
221       --reply-zone
222              Filter by conntrack zone in reply direction.   See  iptables  CT
223              target for more information.
224
225       --tuple-src IP_ADDRESS
226              Specify  the  tuple  source  address of an expectation.  Implies
227              "--mask-src" when CIDR notation is used.
228
229       --tuple-dst IP_ADDRESS
230              Specify the tuple destination address of  an  expectation.   Im‐
231              plies "--mask-dst" when CIDR notation is used.
232
233       --mask-src IP_ADDRESS
234              Specify  the source address mask.  For conntracks this option is
235              only available in conjunction with "-L, --dump", "-E,  --event",
236              "-U --update" or "-D --delete".  For expectations this option is
237              only available in conjunction with "-I, --create".
238
239       --mask-dst IP_ADDRESS
240              Specify the destination address mask.  Same limitations  as  for
241              "--mask-src".
242
243
244   PROTOCOL FILTER PARAMETERS
245       TCP-specific fields:
246
247       --sport, --orig-port-src PORT
248              Source port in original direction
249
250       --dport, --orig-port-dst PORT
251              Destination port in original direction
252
253       --reply-port-src PORT
254              Source port in reply direction
255
256       --reply-port-dst PORT
257              Destination port in reply direction
258
259       --state state
260              TCP   state,  one  of  NONE,  SYN_SENT,  SYN_RECV,  ESTABLISHED,
261              FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSE or LISTEN.
262
263
264       UDP-specific fields:
265
266       --sport, --orig-port-src PORT
267              Source port in original direction
268
269       --dport, --orig-port-dst PORT
270              Destination port in original direction
271
272       --reply-port-src PORT
273              Source port in reply direction
274
275       --reply-port-dst PORT
276              Destination port in reply direction
277
278
279       ICMP-specific fields:
280
281       --icmp-type TYPE
282              ICMP Type. Has to be specified numerically.
283
284       --icmp-code CODE
285              ICMP Code. Has to be specified numerically.
286
287       --icmp-id ID
288              ICMP Id. Has to be specified numerically (non-mandatory)
289
290
291       UDPlite-specific fields:
292
293       --sport, --orig-port-src PORT
294              Source port in original direction
295
296       --dport, --orig-port-dst PORT
297              Destination port in original direction
298
299       --reply-port-src PORT
300              Source port in reply direction
301
302       --reply-port-dst PORT
303              Destination port in reply direction
304
305
306       SCTP-specific fields:
307
308       --sport, --orig-port-src PORT
309              Source port in original direction
310
311       --dport, --orig-port-dst PORT
312              Destination port in original direction
313
314       --reply-port-src PORT
315              Source port in reply direction
316
317       --reply-port-dst PORT
318              Destination port in reply direction
319
320       --state state
321              SCTP state, one of NONE, CLOSED, COOKIE_WAIT, COOKIE_ECHOED, ES‐
322              TABLISHED, SHUTDOWN_SENT, SHUTDOWN_RECD, SHUTDOWN_ACK_SENT.
323
324       --orig-vtag value
325              Verification tag (32-bits value) in the original direction
326
327       --reply-vtag value
328              Verification tag (32-bits value) in the reply direction
329
330
331       DCCP-specific fields (needs Linux >= 2.6.30):
332
333       --sport, --orig-port-src PORT
334              Source port in original direction
335
336       --dport, --orig-port-dst PORT
337              Destination port in original direction
338
339       --reply-port-src PORT
340              Source port in reply direction
341
342       --reply-port-dst PORT
343              Destination port in reply direction
344
345       --state state
346              DCCP  state,  one  of  NONE,  REQUEST,  RESPOND, PARTOPEN, OPEN,
347              CLOSEREQ, CLOSING, TIMEWAIT.
348
349       --role [client|server]
350              Role that the original conntrack tuple is tracking
351
352
353       GRE-specific fields:
354
355       --srckey, --orig-key-src KEY
356              Source key in original direction (in hexadecimal or decimal)
357
358       --dstkey, --orig-key-dst KEY
359              Destination key in original direction (in hexadecimal  or  deci‐
360              mal)
361
362       --reply-key-src KEY
363              Source key in reply direction (in hexadecimal or decimal)
364
365       --reply-key-dst KEY
366              Destination key in reply direction (in hexadecimal or decimal)
367
368

DIAGNOSTICS

370       The  exit  code  is  0 for correct function.  Errors which appear to be
371       caused by invalid command line parameters cause an exit code of 2.  Any
372       other errors cause an exit code of 1.
373
374

EXAMPLES

376       conntrack -L
377              Show  the  connection  tracking  table in /proc/net/ip_conntrack
378              format
379
380       conntrack -L -o extended
381              Show the connection  tracking  table  in  /proc/net/nf_conntrack
382              format, with additional information.
383
384       conntrack -L -o xml
385              Show the connection tracking table in XML
386
387       conntrack -L -f ipv6 -o extended
388              Only  dump  IPv6  connections  in /proc/net/nf_conntrack format,
389              with additional information.
390
391       conntrack -L --src-nat
392              Show source NAT connections
393
394       conntrack -E -o timestamp
395              Show connection events together with the timestamp
396
397       conntrack -D -s 1.2.3.4
398              Delete all flow whose source address is 1.2.3.4
399
400       conntrack -U -s 1.2.3.4 -m 1
401              Set connmark to 1 of all  the  flows  whose  source  address  is
402              1.2.3.4
403
404

BUGS

406       Please, report them to netfilter-devel@vger.kernel.org or file a bug in
407       Netfilter's bugzilla (https://bugzilla.netfilter.org).
408
409

SEE ALSO

411       nftables(8),iptables(8),conntrackd(8)
412       See http://conntrack-tools.netfilter.org
413
414

AUTHORS

416       Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote
417       the  kernel-level  "ctnetlink"  interface that is used by the conntrack
418       tool.
419
420       Pablo Neira Ayuso wrote and maintain the conntrack tool,  Harald  Welte
421       added support for conntrack based accounting counters.
422
423       Man  page  written  by  Harald  Welte <laforge@netfilter.org> and Pablo
424       Neira Ayuso <pablo@netfilter.org>.
425
426
427
428                                  Aug 9, 2019                     CONNTRACK(8)
Impressum