1CONNTRACK(8) CONNTRACK(8)
2
3
4
6 conntrack - administration tool for netfilter connection tracking
7
9 conntrack -L [table] [-z]
10 conntrack -G [table] parameters
11 conntrack -D [table] paramaters
12 conntrack -I [table] parameters
13 conntrack -E [table] parameters
14 conntrack -F [table]
15
17 conntrack is used to search, list, inspect and maintain the netfilter
18 connection tracking subsystem of the Linux kernel.
19
20 Using conntrack , you can dump a list of all (or a filtered selection
21 of) currently tracked connections, delete connections from the state
22 table, and even add new ones.
23
24 In addition, you can also monitor connection tracking events, e.g. show
25 an event message (one line) per newly established connection.
26
28 The connection tracking subsystem maintains two internal tables:
29
30 conntrack:
31 This is the default table. It contains a list of all currently
32 tracked connections through the system. If you don't use con‐
33 nection tracking exemptions (NOTRACK iptables target), this
34 means all connections that go through the system.
35
36 expect:
37 This is the table of expectations. Connection tracking expecta‐
38 tions are the mechanism used to "expect" RELATED connections to
39 existing ones. Expectations are generally used by "connection
40 tracking helpers" (sometimes called application level gateways
41 [ALGs]) for more complex protocols such as FTP, SIP, H.323.
42
44 The options recognized by conntrack can be divided into several differ‐
45 ent groups.
46
47 COMMANDS
48 These options specify the particular operation to perform. Only one of
49 them can be specified at any given time.
50
51 -L --dump
52 List connection tacking or expectation table
53
54 -G, --get
55 Search for and show a particular (matching) entry in the given
56 table.
57
58 -D, --delete
59 Delete an entry from the given table.
60
61 -I, --create
62 Create a new entry from the given table.
63
64 -E, --event
65 Display a real-time event log.
66
67 -F, --flush
68 Flush the whole given table
69
70 PARAMETERS
71 -z, --zero
72 Atomically zero counters after reading them. This option is
73 only valid in combination with the "-L, --dump" command options.
74
75 -e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]
76 Set the bitmask of events that are to be generated by the in-
77 kernel ctnetlink event code. Using this parameter, you can
78 reduce the event messages generated by the kernel to those types
79 to those that you are actually interested in. This option can
80 only be used in conjunction with "-E, --event".
81
82 FILTER PARAMETERS
83 -s, --orig-src IP_ADDRESS
84 Match only entries whose source address in the original direc‐
85 tion equals the one specified as argument.
86
87 -d, --orig-dst IP_ADDRESS
88 Match only entries whose destination address in the original
89 direction equals the one specified as argument.
90
91 -r, --reply-src IP_ADDRESS
92 Match only entries whose source address in the reply direction
93 equals the one specified as argument.
94
95 -q, --reply-dst IP_ADDRESS
96 Match only entries whose destination address in the reply direc‐
97 tion equals the one specified as argument.
98
99 -p, --proto PROTO
100 Specify layer four (TCP, UDP, ...) protocol.
101
102 -f, --family PROTO
103 Specify layer three (ipv4, ipv6) protocol This option is only
104 required in conjunction with "-L, --dump". If this option is not
105 passed, the default layer 3 protocol will be IPv4.
106
107 -t, --timeout TIMEOUT
108 Specify the timeout.
109
110 -u, --status [ASSURED|SEEN_REPLY|UNSET|SRC_NAT|DST_NAT][,...]
111 Specify the conntrack status.
112
113 -i, --id ID
114 Specify the conntrack ID. This option can only be used in con‐
115 junction with "-L, --dump" to display the conntrack IDs.
116
117 --tuple-src IP_ADDRESS
118 Specify the tuple source address of an expectation.
119
120 --tuple-dst IP_ADDRESS
121 Specify the tuple destination address of an expectation.
122
123 --mask-src IP_ADDRESS
124 Specify the source address mask of an expectation.
125
126 --mask-dst IP_ADDRESS
127 Specify the destination address mask of an expectation.
128
130 The exit code is 0 for correct function. Errors which appear to be
131 caused by invalid command line parameters cause an exit code of 2. Any
132 other errors cause an exit code of 1.
133
135 Bugs? What's this ;-)
136
138 iptables(8)
139 See http://netfilter.org/.
140
142 Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira wrote the
143 kernel-level "ctnetlink" interface that is used by the conntrack tool.
144
145 Pablo Neira wrote the conntrack tool, Harald Welte added support for
146 conntrack based accounting counters.
147
148 Man page written by Harald Welte <laforge@netfilter.org>.
149
150
151
152 Jun 23, 2005 CONNTRACK(8)