1CONNTRACK(8) CONNTRACK(8)
2
3
4
6 conntrack - command line interface for netfilter connection tracking
7
9 conntrack -L [table] [options] [-z]
10 conntrack -G [table] parameters
11 conntrack -D [table] parameters
12 conntrack -I [table] parameters
13 conntrack -U [table] parameters
14 conntrack -E [table] [options]
15 conntrack -F [table]
16 conntrack -C [table]
17 conntrack -S
18
20 The conntrack utilty provides a full featured userspace interface to
21 the Netfilter connection tracking system that is intended to replace
22 the old /proc/net/ip_conntrack interface. This tool can be used to
23 search, list, inspect and maintain the connection tracking subsystem of
24 the Linux kernel.
25
26 Using conntrack, you can dump a list of all (or a filtered selection
27 of) currently tracked connections, delete connections from the state
28 table, and even add new ones.
29
30 In addition, you can also monitor connection tracking events, e.g. show
31 an event message (one line) per newly established connection.
32
33
35 The connection tracking subsystem maintains several internal tables:
36
37 conntrack:
38 This is the default table. It contains a list of all currently
39 tracked connections through the system. If you don't use con‐
40 nection tracking exemptions (NOTRACK iptables target), this
41 means all connections that go through the system.
42
43 expect:
44 This is the table of expectations. Connection tracking expecta‐
45 tions are the mechanism used to "expect" RELATED connections to
46 existing ones. Expectations are generally used by "connection
47 tracking helpers" (sometimes called application level gateways
48 [ALGs]) for more complex protocols such as FTP, SIP or H.323.
49
50 dying: This table shows the conntrack entries, that have expired and
51 that have been destroyed by the connection tracking system it‐
52 self, or via the conntrack utility.
53
54 unconfirmed:
55 This table shows new entries, that are not yet inserted into the
56 conntrack table. These entries are attached to packets that are
57 traversing the stack, but did not reach the confirmation point
58 at the postrouting hook.
59
60 The tables "dying" and "unconfirmed" are basically only useful
61 for debugging purposes. Under normal operation, it is hard to
62 see entries in any of them. There are corner cases, where it is
63 valid to see entries in the unconfirmed table, eg. when packets
64 that are enqueued via nfqueue, and the dying table, eg. when
65 conntrackd(8) runs in event reliable mode.
66
67
69 The options recognized by conntrack can be divided into several differ‐
70 ent groups.
71
72
73 COMMANDS
74 These options specify the particular operation to perform. Only one of
75 them can be specified at any given time.
76
77 -L --dump
78 List connection tracking or expectation table
79
80 -G, --get
81 Search for and show a particular (matching) entry in the given
82 table.
83
84 -D, --delete
85 Delete an entry from the given table.
86
87 -I, --create
88 Create a new entry from the given table.
89
90 -U, --update
91 Update an entry from the given table.
92
93 -E, --event
94 Display a real-time event log.
95
96 -F, --flush
97 Flush the whole given table
98
99 -C, --count
100 Show the table counter.
101
102 -S, --stats
103 Show the in-kernel connection tracking system statistics.
104
105
106 PARAMETERS
107 -z, --zero
108 Atomically zero counters after reading them. This option is
109 only valid in combination with the "-L, --dump" command options.
110
111 -o, --output [extended,xml,timestamp,id,ktimestamp,labels,userspace]
112 Display output in a certain format. With the extended output op‐
113 tion, this tool displays the layer 3 information. With ktimes‐
114 tamp, it displays the in-kernel timestamp available since 2.6.38
115 (you can enable it via the sysctl(8) key net.netfilter.nf_con‐
116 ntrack_timestamp). The labels output option tells conntrack to
117 show the names of connection tracking labels that might be
118 present. The userspace output options tells if the event has
119 been triggered by a process.
120
121 -e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]
122 Set the bitmask of events that are to be generated by the in-
123 kernel ctnetlink event code. Using this parameter, you can re‐
124 duce the event messages generated by the kernel to those types
125 to those that you are actually interested in. This option can
126 only be used in conjunction with "-E, --event".
127
128 -b, --buffer-size value
129 Set the Netlink socket buffer size in bytes. This option is use‐
130 ful if the command line tool reports ENOBUFS errors. If you do
131 not pass this option, the default value available at sysctl(8)
132 key net.core.rmem_default is used. The tool reports this problem
133 if your process is too slow to handle all the event messages or,
134 in other words, if the amount of events are big enough to over‐
135 run the socket buffer. Note that using a big buffer reduces the
136 chances to hit ENOBUFS, however, this results in more memory
137 consumption. This option can only be used in conjunction with
138 "-E, --event".
139
140
141 FILTER PARAMETERS
142 -s, --src, --orig-src IP_ADDRESS
143 Match only entries whose source address in the original direc‐
144 tion equals the one specified as argument. Implies "--mask-src"
145 when CIDR notation is used.
146
147 -d, --dst, --orig-dst IP_ADDRESS
148 Match only entries whose destination address in the original di‐
149 rection equals the one specified as argument. Implies "--mask-
150 dst" when CIDR notation is used.
151
152 -r, --reply-src IP_ADDRESS
153 Match only entries whose source address in the reply direction
154 equals the one specified as argument.
155
156 -q, --reply-dst IP_ADDRESS
157 Match only entries whose destination address in the reply direc‐
158 tion equals the one specified as argument.
159
160 -p, --proto PROTO
161 Specify layer four (TCP, UDP, ...) protocol.
162
163 -f, --family PROTO
164 Specify layer three (ipv4, ipv6) protocol This option is only
165 required in conjunction with "-L, --dump". If this option is not
166 passed, the default layer 3 protocol will be IPv4.
167
168 -t, --timeout TIMEOUT
169 Specify the timeout.
170
171 -m, --mark MARK[/MASK]
172 Specify the conntrack mark. Optionally, a mask value can be
173 specified. In "--update" mode, this mask specifies the bits
174 that should be zeroed before XORing the MARK value into the ct‐
175 mark. Otherwise, the mask is logically ANDed with the existing
176 mark before the comparision. In "--create" mode, the mask is ig‐
177 nored.
178
179 -l, --label LABEL
180 Specify a conntrack label. This option is only available in
181 conjunction with "-L, --dump", "-E, --event", "-U --update" or
182 "-D --delete". Match entries whose labels match at least those
183 specified. Use multiple -l commands to specify multiple labels
184 that need to be set. Match entries whose labels matches at
185 least those specified as arguments.
186
187 --label-add LABEL
188 Specify the conntrack label to add to to the selected con‐
189 ntracks. This option is only available in conjunction with "-I,
190 --create" or "-U, --update".
191
192 --label-del [LABEL]
193 Specify the conntrack label to delete from the selected con‐
194 ntracks. If no label is given, all labels are deleted. This
195 option is only available in conjunction with "-U, --update".
196
197 -c, --secmark SECMARK
198 Specify the conntrack selinux security mark.
199
200 -u, --status [ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|OFFLOAD|UN‐
201 SET][,...]
202 Specify the conntrack status.
203
204 -n, --src-nat
205 Filter source NAT connections.
206
207 -g, --dst-nat
208 Filter destination NAT connections.
209
210 -j, --any-nat
211 Filter any NAT connections.
212
213 -w, --zone
214 Filter by conntrack zone. See iptables CT target for more infor‐
215 mation.
216
217 --orig-zone
218 Filter by conntrack zone in original direction. See iptables CT
219 target for more information.
220
221 --reply-zone
222 Filter by conntrack zone in reply direction. See iptables CT
223 target for more information.
224
225 --tuple-src IP_ADDRESS
226 Specify the tuple source address of an expectation. Implies
227 "--mask-src" when CIDR notation is used.
228
229 --tuple-dst IP_ADDRESS
230 Specify the tuple destination address of an expectation. Im‐
231 plies "--mask-dst" when CIDR notation is used.
232
233 --mask-src IP_ADDRESS
234 Specify the source address mask. For conntracks this option is
235 only available in conjunction with "-L, --dump", "-E, --event",
236 "-U --update" or "-D --delete". For expectations this option is
237 only available in conjunction with "-I, --create".
238
239 --mask-dst IP_ADDRESS
240 Specify the destination address mask. Same limitations as for
241 "--mask-src".
242
243
244 PROTOCOL FILTER PARAMETERS
245 TCP-specific fields:
246
247 --sport, --orig-port-src PORT
248 Source port in original direction
249
250 --dport, --orig-port-dst PORT
251 Destination port in original direction
252
253 --reply-port-src PORT
254 Source port in reply direction
255
256 --reply-port-dst PORT
257 Destination port in reply direction
258
259 --state state
260 TCP state, one of NONE, SYN_SENT, SYN_RECV, ESTABLISHED,
261 FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSE or LISTEN.
262
263
264 UDP-specific fields:
265
266 --sport, --orig-port-src PORT
267 Source port in original direction
268
269 --dport, --orig-port-dst PORT
270 Destination port in original direction
271
272 --reply-port-src PORT
273 Source port in reply direction
274
275 --reply-port-dst PORT
276 Destination port in reply direction
277
278
279 ICMP-specific fields:
280
281 --icmp-type TYPE
282 ICMP Type. Has to be specified numerically.
283
284 --icmp-code CODE
285 ICMP Code. Has to be specified numerically.
286
287 --icmp-id ID
288 ICMP Id. Has to be specified numerically (non-mandatory)
289
290
291 UDPlite-specific fields:
292
293 --sport, --orig-port-src PORT
294 Source port in original direction
295
296 --dport, --orig-port-dst PORT
297 Destination port in original direction
298
299 --reply-port-src PORT
300 Source port in reply direction
301
302 --reply-port-dst PORT
303 Destination port in reply direction
304
305
306 SCTP-specific fields:
307
308 --sport, --orig-port-src PORT
309 Source port in original direction
310
311 --dport, --orig-port-dst PORT
312 Destination port in original direction
313
314 --reply-port-src PORT
315 Source port in reply direction
316
317 --reply-port-dst PORT
318 Destination port in reply direction
319
320 --state state
321 SCTP state, one of NONE, CLOSED, COOKIE_WAIT, COOKIE_ECHOED, ES‐
322 TABLISHED, SHUTDOWN_SENT, SHUTDOWN_RECD, SHUTDOWN_ACK_SENT.
323
324 --orig-vtag value
325 Verification tag (32-bits value) in the original direction
326
327 --reply-vtag value
328 Verification tag (32-bits value) in the reply direction
329
330
331 DCCP-specific fields (needs Linux >= 2.6.30):
332
333 --sport, --orig-port-src PORT
334 Source port in original direction
335
336 --dport, --orig-port-dst PORT
337 Destination port in original direction
338
339 --reply-port-src PORT
340 Source port in reply direction
341
342 --reply-port-dst PORT
343 Destination port in reply direction
344
345 --state state
346 DCCP state, one of NONE, REQUEST, RESPOND, PARTOPEN, OPEN,
347 CLOSEREQ, CLOSING, TIMEWAIT.
348
349 --role [client|server]
350 Role that the original conntrack tuple is tracking
351
352
353 GRE-specific fields:
354
355 --srckey, --orig-key-src KEY
356 Source key in original direction (in hexadecimal or decimal)
357
358 --dstkey, --orig-key-dst KEY
359 Destination key in original direction (in hexadecimal or deci‐
360 mal)
361
362 --reply-key-src KEY
363 Source key in reply direction (in hexadecimal or decimal)
364
365 --reply-key-dst KEY
366 Destination key in reply direction (in hexadecimal or decimal)
367
368
370 The exit code is 0 for correct function. Errors which appear to be
371 caused by invalid command line parameters cause an exit code of 2. Any
372 other errors cause an exit code of 1.
373
374
376 conntrack -L
377 Show the connection tracking table in /proc/net/ip_conntrack
378 format
379
380 conntrack -L -o extended
381 Show the connection tracking table in /proc/net/nf_conntrack
382 format, with additional information.
383
384 conntrack -L -o xml
385 Show the connection tracking table in XML
386
387 conntrack -L -f ipv6 -o extended
388 Only dump IPv6 connections in /proc/net/nf_conntrack format,
389 with additional information.
390
391 conntrack -L --src-nat
392 Show source NAT connections
393
394 conntrack -E -o timestamp
395 Show connection events together with the timestamp
396
397 conntrack -D -s 1.2.3.4
398 Delete all flow whose source address is 1.2.3.4
399
400 conntrack -U -s 1.2.3.4 -m 1
401 Set connmark to 1 of all the flows whose source address is
402 1.2.3.4
403
404
406 Please, report them to netfilter-devel@vger.kernel.org or file a bug in
407 Netfilter's bugzilla (https://bugzilla.netfilter.org).
408
409
411 nftables(8),iptables(8),conntrackd(8)
412 See http://conntrack-tools.netfilter.org
413
414
416 Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote
417 the kernel-level "ctnetlink" interface that is used by the conntrack
418 tool.
419
420 Pablo Neira Ayuso wrote and maintain the conntrack tool, Harald Welte
421 added support for conntrack based accounting counters.
422
423 Man page written by Harald Welte <laforge@netfilter.org> and Pablo
424 Neira Ayuso <pablo@netfilter.org>.
425
426
427
428 Aug 9, 2019 CONNTRACK(8)