1CONNTRACK(8) CONNTRACK(8)
2
6 conntrack - command line interface for netfilter connection tracking
7
9 conntrack -L [table] [options] [-z]
10 conntrack -G [table] parameters
11 conntrack -D [table] parameters
12 conntrack -I [table] parameters
13 conntrack -U [table] parameters
14 conntrack -E [table] [options]
15 conntrack -F [table]
16 conntrack -C [table]
17 conntrack -S
18
20 The conntrack utilty provides a full featured userspace interface to
21 the Netfilter connection tracking system that is intended to replace
22 the old /proc/net/ip_conntrack interface. This tool can be used to
23 search, list, inspect and maintain the connection tracking subsystem of
24 the Linux kernel.
25 Using conntrack, you can dump a list of all (or a filtered selection
27 of) currently tracked connections, delete connections from the state
28 table, and even add new ones.
29 In addition, you can also monitor connection tracking events, e.g. show
31 an event message (one line) per newly established connection.
32
35 The connection tracking subsystem maintains several internal tables:
36 conntrack:
38 This is the default table. It contains a list of all currently
39 tracked connections through the system. If you don't use con‐
40 nection tracking exemptions (NOTRACK iptables target), this
41 means all connections that go through the system.
42 expect:
44 This is the table of expectations. Connection tracking expecta‐
45 tions are the mechanism used to "expect" RELATED connections to
46 existing ones. Expectations are generally used by "connection
47 tracking helpers" (sometimes called application level gateways
48 [ALGs]) for more complex protocols such as FTP, SIP or H.323.
49 dying: This table shows the conntrack entries, that have expired and
51 that have been destroyed by the connection tracking system it‐
52 self, or via the conntrack utility.
53 unconfirmed:
55 This table shows new entries, that are not yet inserted into the
56 conntrack table. These entries are attached to packets that are
57 traversing the stack, but did not reach the confirmation point
58 at the postrouting hook.
59 The tables "dying" and "unconfirmed" are basically only useful
61 for debugging purposes. Under normal operation, it is hard to
62 see entries in any of them. There are corner cases, where it is
63 valid to see entries in the unconfirmed table, eg. when packets
64 that are enqueued via nfqueue, and the dying table, eg. when
65 conntrackd(8) runs in event reliable mode.
66
69 The options recognized by conntrack can be divided into several differ‐
70 ent groups.
71 COMMANDS
74 These options specify the particular operation to perform. Only one of
75 them can be specified at any given time.
76 -L --dump
78 List connection tracking or expectation table
79 -G, --get
81 Search for and show a particular (matching) entry in the given
82 table.
83 -D, --delete
85 Delete an entry from the given table.
86 -I, --create
88 Create a new entry from the given table.
89 -U, --update
91 Update an entry from the given table.
92 -E, --event
94 Display a real-time event log.
95 -F, --flush
97 Flush the whole given table
98 -C, --count
100 Show the table counter.
101 -S, --stats
103 Show the in-kernel connection tracking system statistics.
104 PARAMETERS
107 -z, --zero
108 Atomically zero counters after reading them. This option is
109 only valid in combination with the "-L, --dump" command options.
110 -o, --output [extended,xml,timestamp,id,ktimestamp,labels,userspace]
112 Display output in a certain format. With the extended output op‐
113 tion, this tool displays the layer 3 information. With ktimes‐
114 tamp, it displays the in-kernel timestamp available since 2.6.38
115 (you can enable it via the sysctl(8) key net.netfilter.nf_con‐
116 ntrack_timestamp). The labels output option tells conntrack to
117 show the names of connection tracking labels that might be
118 present. The userspace output options tells if the event has
119 been triggered by a process.
120 -e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]
122 Set the bitmask of events that are to be generated by the in-
123 kernel ctnetlink event code. Using this parameter, you can re‐
124 duce the event messages generated by the kernel to those types
125 to those that you are actually interested in. This option can
126 only be used in conjunction with "-E, --event".
127 -b, --buffer-size value
129 Set the Netlink socket buffer size in bytes. This option is use‐
130 ful if the command line tool reports ENOBUFS errors. If you do
131 not pass this option, the default value available at sysctl(8)
132 key net.core.rmem_default is used. The tool reports this problem
133 if your process is too slow to handle all the event messages or,
134 in other words, if the amount of events are big enough to over‐
135 run the socket buffer. Note that using a big buffer reduces the
136 chances to hit ENOBUFS, however, this results in more memory
137 consumption. This option can only be used in conjunction with
138 "-E, --event".
139 FILTER PARAMETERS
142 -s, --src, --orig-src IP_ADDRESS
143 Match only entries whose source address in the original direc‐
144 tion equals the one specified as argument. Implies "--mask-src"
145 when CIDR notation is used.
146 -d, --dst, --orig-dst IP_ADDRESS
148 Match only entries whose destination address in the original di‐
149 rection equals the one specified as argument. Implies "--mask-
150 dst" when CIDR notation is used.
151 -r, --reply-src IP_ADDRESS
153 Match only entries whose source address in the reply direction
154 equals the one specified as argument.
155 -q, --reply-dst IP_ADDRESS
157 Match only entries whose destination address in the reply direc‐
158 tion equals the one specified as argument.
159 -p, --proto PROTO
161 Specify layer four (TCP, UDP, ...) protocol.
162 -f, --family PROTO
164 Specify layer three (ipv4, ipv6) protocol This option is only
165 required in conjunction with "-L, --dump". If this option is not
166 passed, the default layer 3 protocol will be IPv4.
167 -t, --timeout TIMEOUT
169 Specify the timeout.
170 -m, --mark MARK[/MASK]
172 Specify the conntrack mark. Optionally, a mask value can be
173 specified. In "--update" mode, this mask specifies the bits
174 that should be zeroed before XORing the MARK value into the ct‐
175 mark. Otherwise, the mask is logically ANDed with the existing
176 mark before the comparision. In "--create" mode, the mask is ig‐
177 nored.
178 -l, --label LABEL
180 Specify a conntrack label. This option is only available in
181 conjunction with "-L, --dump", "-E, --event", "-U --update" or
182 "-D --delete". Match entries whose labels match at least those
183 specified. Use multiple -l commands to specify multiple labels
184 that need to be set. Match entries whose labels matches at
185 least those specified as arguments.
186 --label-add LABEL
188 Specify the conntrack label to add to to the selected con‐
189 ntracks. This option is only available in conjunction with "-I,
190 --create" or "-U, --update".
191 --label-del [LABEL]
193 Specify the conntrack label to delete from the selected con‐
194 ntracks. If no label is given, all labels are deleted. This
195 option is only available in conjunction with "-U, --update".
196 -c, --secmark SECMARK
198 Specify the conntrack selinux security mark.
199 -u, --status [ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|OFFLOAD|UN‐
201 SET][,...]
202 Specify the conntrack status.
203 -n, --src-nat
205 Filter source NAT connections.
206 -g, --dst-nat
208 Filter destination NAT connections.
209 -j, --any-nat
211 Filter any NAT connections.
212 -w, --zone
214 Filter by conntrack zone. See iptables CT target for more infor‐
215 mation.
216 --orig-zone
218 Filter by conntrack zone in original direction. See iptables CT
219 target for more information.
220 --reply-zone
222 Filter by conntrack zone in reply direction. See iptables CT
223 target for more information.
224 --tuple-src IP_ADDRESS
226 Specify the tuple source address of an expectation. Implies
227 "--mask-src" when CIDR notation is used.
228 --tuple-dst IP_ADDRESS
230 Specify the tuple destination address of an expectation. Im‐
231 plies "--mask-dst" when CIDR notation is used.
232 --mask-src IP_ADDRESS
234 Specify the source address mask. For conntracks this option is
235 only available in conjunction with "-L, --dump", "-E, --event",
236 "-U --update" or "-D --delete". For expectations this option is
237 only available in conjunction with "-I, --create".
238 --mask-dst IP_ADDRESS
240 Specify the destination address mask. Same limitations as for
241 "--mask-src".
242 PROTOCOL FILTER PARAMETERS
245 TCP-specific fields:
246 --sport, --orig-port-src PORT
248 Source port in original direction
249 --dport, --orig-port-dst PORT
251 Destination port in original direction
252 --reply-port-src PORT
254 Source port in reply direction
255 --reply-port-dst PORT
257 Destination port in reply direction
258 --state state
260 TCP state, one of NONE, SYN_SENT, SYN_RECV, ESTABLISHED,
261 FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSE or LISTEN.
262 UDP-specific fields:
265 --sport, --orig-port-src PORT
267 Source port in original direction
268 --dport, --orig-port-dst PORT
270 Destination port in original direction
271 --reply-port-src PORT
273 Source port in reply direction
274 --reply-port-dst PORT
276 Destination port in reply direction
277 ICMP-specific fields:
280 --icmp-type TYPE
282 ICMP Type. Has to be specified numerically.
283 --icmp-code CODE
285 ICMP Code. Has to be specified numerically.
286 --icmp-id ID
288 ICMP Id. Has to be specified numerically (non-mandatory)
289 UDPlite-specific fields:
292 --sport, --orig-port-src PORT
294 Source port in original direction
295 --dport, --orig-port-dst PORT
297 Destination port in original direction
298 --reply-port-src PORT
300 Source port in reply direction
301 --reply-port-dst PORT
303 Destination port in reply direction
304 SCTP-specific fields:
307 --sport, --orig-port-src PORT
309 Source port in original direction
310 --dport, --orig-port-dst PORT
312 Destination port in original direction
313 --reply-port-src PORT
315 Source port in reply direction
316 --reply-port-dst PORT
318 Destination port in reply direction
319 --state state
321 SCTP state, one of NONE, CLOSED, COOKIE_WAIT, COOKIE_ECHOED, ES‐
322 TABLISHED, SHUTDOWN_SENT, SHUTDOWN_RECD, SHUTDOWN_ACK_SENT.
323 --orig-vtag value
325 Verification tag (32-bits value) in the original direction
326 --reply-vtag value
328 Verification tag (32-bits value) in the reply direction
329 DCCP-specific fields (needs Linux >= 2.6.30):
332 --sport, --orig-port-src PORT
334 Source port in original direction
335 --dport, --orig-port-dst PORT
337 Destination port in original direction
338 --reply-port-src PORT
340 Source port in reply direction
341 --reply-port-dst PORT
343 Destination port in reply direction
344 --state state
346 DCCP state, one of NONE, REQUEST, RESPOND, PARTOPEN, OPEN,
347 CLOSEREQ, CLOSING, TIMEWAIT.
348 --role [client|server]
350 Role that the original conntrack tuple is tracking
351 GRE-specific fields:
354 --srckey, --orig-key-src KEY
356 Source key in original direction (in hexadecimal or decimal)
357 --dstkey, --orig-key-dst KEY
359 Destination key in original direction (in hexadecimal or deci‐
360 mal)
361 --reply-key-src KEY
363 Source key in reply direction (in hexadecimal or decimal)
364 --reply-key-dst KEY
366 Destination key in reply direction (in hexadecimal or decimal)
367
370 The exit code is 0 for correct function. Errors which appear to be
371 caused by invalid command line parameters cause an exit code of 2. Any
372 other errors cause an exit code of 1.
373
376 conntrack -L
377 Show the connection tracking table in /proc/net/ip_conntrack
378 format
379 conntrack -L -o extended
381 Show the connection tracking table in /proc/net/nf_conntrack
382 format, with additional information.
383 conntrack -L -o xml
385 Show the connection tracking table in XML
386 conntrack -L -f ipv6 -o extended
388 Only dump IPv6 connections in /proc/net/nf_conntrack format,
389 with additional information.
390 conntrack -L --src-nat
392 Show source NAT connections
393 conntrack -E -o timestamp
395 Show connection events together with the timestamp
396 conntrack -D -s 1.2.3.4
398 Delete all flow whose source address is 1.2.3.4
399 conntrack -U -s 1.2.3.4 -m 1
401 Set connmark to 1 of all the flows whose source address is
402 1.2.3.4
403
406 Please, report them to netfilter-devel@vger.kernel.org or file a bug in
407 Netfilter's bugzilla (https://bugzilla.netfilter.org).
408
411 nftables(8),iptables(8),conntrackd(8)
412 See http://conntrack-tools.netfilter.org
413
416 Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote
417 the kernel-level "ctnetlink" interface that is used by the conntrack
418 tool.
419 Pablo Neira Ayuso wrote and maintain the conntrack tool, Harald Welte
421 added support for conntrack based accounting counters.
422 Man page written by Harald Welte <laforge@netfilter.org> and Pablo
424 Neira Ayuso <pablo@netfilter.org>.
425 Aug 9, 2019 CONNTRACK(8)