1CONNTRACK(8) CONNTRACK(8)
2
6 conntrack - command line interface for netfilter connection tracking
7
9 conntrack -L [table] [options] [-z]
10 conntrack -G [table] parameters
11 conntrack -D [table] parameters
12 conntrack -I [table] parameters
13 conntrack -A [table] parameters
14 conntrack -U [table] parameters
15 conntrack -E [table] [options]
16 conntrack -F [table]
17 conntrack -C [table]
18 conntrack -S
19 conntrack -R file
20
22 The conntrack utility provides a full-featured userspace interface to
23 the Netfilter connection tracking system that is intended to replace
24 the old /proc/net/ip_conntrack interface. This tool can be used to
25 search, list, inspect and maintain the connection tracking subsystem of
26 the Linux kernel.
27 Using conntrack, you can dump a list of all (or a filtered selection
29 of) currently tracked connections, delete connections from the state
30 table, and even add new ones.
31 In addition, you can also monitor connection tracking events, e.g. show
33 an event message (one line) per newly established connection.
34
37 The connection tracking subsystem maintains several internal tables:
38 conntrack:
40 This is the default table. It contains a list of all currently
41 tracked connections through the system. If you don't use con‐
42 nection tracking exemptions (NOTRACK iptables target), this
43 means all connections that go through the system.
44 expect:
46 This is the table of expectations. Connection tracking expecta‐
47 tions are the mechanism used to "expect" RELATED connections to
48 existing ones. Expectations are generally used by "connection
49 tracking helpers" (sometimes called application level gateways
50 [ALGs]) for more complex protocols such as FTP, SIP or H.323.
51 dying: This table shows the conntrack entries, that have expired and
53 that have been destroyed by the connection tracking system it‐
54 self, or via the conntrack utility.
55 unconfirmed:
57 This table shows new entries, that are not yet inserted into the
58 conntrack table. These entries are attached to packets that are
59 traversing the stack, but did not reach the confirmation point
60 at the postrouting hook.
61 The tables "dying" and "unconfirmed" are basically only useful
63 for debugging purposes. Under normal operation, it is hard to
64 see entries in any of them. There are corner cases, where it is
65 valid to see entries in the unconfirmed table, eg. when packets
66 that are enqueued via nfqueue, and the dying table, eg. when
67 conntrackd(8) runs in event reliable mode.
68
71 The options recognized by conntrack can be divided into several differ‐
72 ent groups.
73 COMMANDS
76 These options specify the particular operation to perform. Only one of
77 them can be specified at any given time.
78 -L --dump
80 List connection tracking or expectation table
81 -G, --get
83 Search for and show a particular (matching) entry in the given
84 table.
85 -D, --delete
87 Delete an entry from the given table.
88 -I, --create
90 Create a new entry from the given table, it fails if it already
91 exists.
92 -A, --add
94 Add a new entry from the given table.
95 -U, --update
97 Update an entry from the given table.
98 -E, --event
100 Display a real-time event log.
101 -F, --flush
103 Flush the whole given table
104 -C, --count
106 Show the table counter.
107 -S, --stats
109 Show the in-kernel connection tracking system statistics.
110 -R, --load-file
112 Load entries from a given file. To read from stdin, "-" should
113 be specified.
114 PARAMETERS
117 -z, --zero
118 Atomically zero counters after reading them. This option is
119 only valid in combination with the "-L, --dump" command options.
120 -o, --output [extended,xml,save,timestamp,id,ktimestamp,labels]
122 Display output in a certain format. With the extended output op‐
123 tion, this tool displays the layer 3 information. With ktimes‐
124 tamp, it displays the in-kernel timestamp available since 2.6.38
125 (you can enable it via the sysctl(8) key net.netfilter.nf_con‐
126 ntrack_timestamp). The labels output option tells conntrack to
127 show the names of connection tracking labels that might be
128 present. The userspace output option tells if the event has
129 been triggered by a process.
130 -e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]
132 Set the bitmask of events that are to be generated by the in-
133 kernel ctnetlink event code. Using this parameter, you can re‐
134 duce the event messages generated by the kernel to the types
135 that you are actually interested in. This option can only be
136 used in conjunction with "-E, --event".
137 -b, --buffer-size value
139 Set the Netlink socket buffer size in bytes. This option is use‐
140 ful if the command line tool reports ENOBUFS errors. If you do
141 not pass this option, the default value available at sysctl(8)
142 key net.core.rmem_default is used. The tool reports this problem
143 if your process is too slow to handle all the event messages or,
144 in other words, if the amount of events is big enough to overrun
145 the socket buffer. Note that using a big buffer reduces the
146 chances to hit ENOBUFS, however, this results in more memory
147 consumption. This option can only be used in conjunction with
148 "-E, --event".
149 FILTER PARAMETERS
152 -s, --src, --orig-src IP_ADDRESS
153 Match only entries whose source address in the original direc‐
154 tion equals the one specified as argument. Implies "--mask-src"
155 when CIDR notation is used.
156 -d, --dst, --orig-dst IP_ADDRESS
158 Match only entries whose destination address in the original di‐
159 rection equals the one specified as argument. Implies "--mask-
160 dst" when CIDR notation is used.
161 -r, --reply-src IP_ADDRESS
163 Match only entries whose source address in the reply direction
164 equals the one specified as argument.
165 -q, --reply-dst IP_ADDRESS
167 Match only entries whose destination address in the reply direc‐
168 tion equals the one specified as argument.
169 -p, --proto PROTO
171 Specify layer four (TCP, UDP, ...) protocol.
172 -f, --family PROTO
174 Specify layer three (ipv4, ipv6) protocol. This option is only
175 required in conjunction with "-L, --dump". If this option is not
176 passed, the default layer 3 protocol will be IPv4.
177 -t, --timeout TIMEOUT
179 Specify the timeout.
180 -m, --mark MARK[/MASK]
182 Specify the conntrack mark. Optionally, a mask value can be
183 specified. In "--update" mode, this mask specifies the bits
184 that should be zeroed before XORing the MARK value into the ct‐
185 mark. Otherwise, the mask is logically ANDed with the existing
186 mark before the comparision. In "--create" mode, the mask is ig‐
187 nored.
188 -l, --label LABEL
190 Specify a conntrack label. This option is only available in
191 conjunction with "-L, --dump", "-E, --event", "-U --update" or
192 "-D --delete". Match entries whose labels include those speci‐
193 fied as arguments. Use multiple -l options to specify multiple
194 labels that need to be set.
195 --label-add LABEL
197 Specify the conntrack label to add to the selected conntracks.
198 This option is only available in conjunction with "-I, --cre‐
199 ate", "-A, --add" or "-U, --update".
200 --label-del [LABEL]
202 Specify the conntrack label to delete from the selected con‐
203 ntracks. If no label is given, all labels are deleted. This
204 option is only available in conjunction with "-U, --update".
205 -c, --secmark SECMARK
207 Specify the conntrack selinux security mark.
208 -u, --status [ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|OFFLOAD|UN‐
210 SET][,...]
211 Specify the conntrack status.
212 -n, --src-nat
214 Filter source NAT connections.
215 -g, --dst-nat
217 Filter destination NAT connections.
218 -j, --any-nat
220 Filter any NAT connections.
221 -w, --zone
223 Filter by conntrack zone. See iptables CT target for more infor‐
224 mation.
225 --orig-zone
227 Filter by conntrack zone in original direction. See iptables CT
228 target for more information.
229 --reply-zone
231 Filter by conntrack zone in reply direction. See iptables CT
232 target for more information.
233 --tuple-src IP_ADDRESS
235 Specify the tuple source address of an expectation. Implies
236 "--mask-src" when CIDR notation is used.
237 --tuple-dst IP_ADDRESS
239 Specify the tuple destination address of an expectation. Im‐
240 plies "--mask-dst" when CIDR notation is used.
241 --mask-src IP_ADDRESS
243 Specify the source address mask. For conntracks this option is
244 only available in conjunction with "-L, --dump", "-E, --event",
245 "-U --update" or "-D --delete". For expectations this option is
246 only available in conjunction with "-I, --create".
247 --mask-dst IP_ADDRESS
249 Specify the destination address mask. Same limitations as for
250 "--mask-src".
251 PROTOCOL FILTER PARAMETERS
254 TCP-specific fields:
255 --sport, --orig-port-src PORT
257 Source port in original direction
258 --dport, --orig-port-dst PORT
260 Destination port in original direction
261 --reply-port-src PORT
263 Source port in reply direction
264 --reply-port-dst PORT
266 Destination port in reply direction
267 --state state
269 TCP state, one of NONE, SYN_SENT, SYN_RECV, ESTABLISHED,
270 FIN_WAIT, CLOSE_WAIT, LAST_ACK, TIME_WAIT, CLOSE or LISTEN.
271 UDP-specific fields:
274 --sport, --orig-port-src PORT
276 Source port in original direction
277 --dport, --orig-port-dst PORT
279 Destination port in original direction
280 --reply-port-src PORT
282 Source port in reply direction
283 --reply-port-dst PORT
285 Destination port in reply direction
286 ICMP-specific fields:
289 --icmp-type TYPE
291 ICMP Type. Has to be specified numerically.
292 --icmp-code CODE
294 ICMP Code. Has to be specified numerically.
295 --icmp-id ID
297 ICMP Id. Has to be specified numerically (non-mandatory)
298 UDPlite-specific fields:
301 --sport, --orig-port-src PORT
303 Source port in original direction
304 --dport, --orig-port-dst PORT
306 Destination port in original direction
307 --reply-port-src PORT
309 Source port in reply direction
310 --reply-port-dst PORT
312 Destination port in reply direction
313 SCTP-specific fields:
316 --sport, --orig-port-src PORT
318 Source port in original direction
319 --dport, --orig-port-dst PORT
321 Destination port in original direction
322 --reply-port-src PORT
324 Source port in reply direction
325 --reply-port-dst PORT
327 Destination port in reply direction
328 --state state
330 SCTP state, one of NONE, CLOSED, COOKIE_WAIT, COOKIE_ECHOED, ES‐
331 TABLISHED, SHUTDOWN_SENT, SHUTDOWN_RECD, SHUTDOWN_ACK_SENT.
332 --orig-vtag value
334 Verification tag (32-bits value) in the original direction
335 --reply-vtag value
337 Verification tag (32-bits value) in the reply direction
338 DCCP-specific fields (needs Linux >= 2.6.30):
341 --sport, --orig-port-src PORT
343 Source port in original direction
344 --dport, --orig-port-dst PORT
346 Destination port in original direction
347 --reply-port-src PORT
349 Source port in reply direction
350 --reply-port-dst PORT
352 Destination port in reply direction
353 --state state
355 DCCP state, one of NONE, REQUEST, RESPOND, PARTOPEN, OPEN,
356 CLOSEREQ, CLOSING, TIMEWAIT.
357 --role [client|server]
359 Role that the original conntrack tuple is tracking
360 GRE-specific fields:
363 --srckey, --orig-key-src KEY
365 Source key in original direction (in hexadecimal or decimal)
366 --dstkey, --orig-key-dst KEY
368 Destination key in original direction (in hexadecimal or deci‐
369 mal)
370 --reply-key-src KEY
372 Source key in reply direction (in hexadecimal or decimal)
373 --reply-key-dst KEY
375 Destination key in reply direction (in hexadecimal or decimal)
376
379 The exit code is 0 for correct function. Errors which appear to be
380 caused by invalid command line parameters cause an exit code of 2. Any
381 other errors cause an exit code of 1.
382
385 conntrack -L
386 Show the connection tracking table in /proc/net/ip_conntrack
387 format
388 conntrack -L -o extended
390 Show the connection tracking table in /proc/net/nf_conntrack
391 format, with additional information.
392 conntrack -L -o xml
394 Show the connection tracking table in XML
395 conntrack -L -o save
397 Show the connection tracking table in conntrack syntax format
398 conntrack -L -f ipv6 -o extended
400 Only dump IPv6 connections in /proc/net/nf_conntrack format,
401 with additional information.
402 conntrack -L --src-nat
404 Show source NAT connections
405 conntrack -E -o timestamp
407 Show connection events together with the timestamp
408 conntrack -D -s 1.2.3.4
410 Delete all flows whose source address is 1.2.3.4
411 conntrack -U -s 1.2.3.4 -m 1
413 Set connmark to 1 of all the flows whose source address is
414 1.2.3.4
415 conntrack -L -w 11 -o save | sed s/-w 11/-w 12/g | conntrack --load-
417 file -
418 Copy all entries from ct zone 11 to ct zone 12
419
422 Please, report them to netfilter-devel@vger.kernel.org or file a bug in
423 Netfilter's bugzilla (https://bugzilla.netfilter.org).
424
427 nftables(8),iptables(8),conntrackd(8)
428 See http://conntrack-tools.netfilter.org
429
432 Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote
433 the kernel-level "ctnetlink" interface that is used by the conntrack
434 tool.
435 Pablo Neira Ayuso wrote and maintains the conntrack tool, Harald Welte
437 added support for conntrack-based accounting counters.
438 Man page written by Harald Welte <laforge@netfilter.org> and Pablo
440 Neira Ayuso <pablo@netfilter.org>.
441 Aug 9, 2019 CONNTRACK(8)