1CONNTRACK(8)                                                      CONNTRACK(8)
2
3
4

NAME

6       conntrack - administration tool for netfilter connection tracking
7

SYNOPSIS

9       conntrack -L [table] [-z]
10       conntrack -G [table] parameters
11       conntrack -D [table] paramaters
12       conntrack -I [table] parameters
13       conntrack -E [table] parameters
14       conntrack -F [table]
15

DESCRIPTION

17       conntrack  is  used to search, list, inspect and maintain the netfilter
18       connection tracking subsystem of the Linux kernel.
19
20       Using conntrack , you can dump a list of all (or a  filtered  selection
21       of)  currently  tracked  connections, delete connections from the state
22       table, and even add new ones.
23
24       In addition, you can also monitor connection tracking events, e.g. show
25       an event message (one line) per newly established connection.
26

TABLES

28       The connection tracking subsystem maintains two internal tables:
29
30       conntrack:
31              This  is the default table.  It contains a list of all currently
32              tracked connections through the system.  If you don't  use  con‐
33              nection  tracking  exemptions  (NOTRACK  iptables  target), this
34              means all connections that go through the system.
35
36       expect:
37              This is the table of expectations.  Connection tracking expecta‐
38              tions  are the mechanism used to "expect" RELATED connections to
39              existing ones.  Expectations are generally used  by  "connection
40              tracking  helpers"  (sometimes called application level gateways
41              [ALGs]) for more complex protocols such as FTP, SIP, H.323.
42

OPTIONS

44       The options recognized by conntrack can be divided into several differ‐
45       ent groups.
46
47   COMMANDS
48       These options specify the particular operation to perform.  Only one of
49       them can be specified at any given time.
50
51       -L --dump
52              List connection tacking or expectation table
53
54       -G, --get
55              Search for and show a particular (matching) entry in  the  given
56              table.
57
58       -D, --delete
59              Delete an entry from the given table.
60
61       -I, --create
62              Create a new entry from the given table.
63
64       -E, --event
65              Display a real-time event log.
66
67       -F, --flush
68              Flush the whole given table
69
70   PARAMETERS
71       -z, --zero
72              Atomically  zero  counters  after  reading them.  This option is
73              only valid in combination with the "-L, --dump" command options.
74
75       -e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]
76              Set the bitmask of events that are to be generated  by  the  in-
77              kernel  ctnetlink  event  code.   Using  this parameter, you can
78              reduce the event messages generated by the kernel to those types
79              to  those  that you are actually interested in.  This option can
80              only be used in conjunction with "-E, --event".
81
82   FILTER PARAMETERS
83       -s, --orig-src IP_ADDRESS
84              Match only entries whose source address in the  original  direc‐
85              tion equals the one specified as argument.
86
87       -d, --orig-dst IP_ADDRESS
88              Match  only  entries  whose  destination address in the original
89              direction equals the one specified as argument.
90
91       -r, --reply-src IP_ADDRESS
92              Match only entries whose source address in the  reply  direction
93              equals the one specified as argument.
94
95       -q, --reply-dst IP_ADDRESS
96              Match only entries whose destination address in the reply direc‐
97              tion equals the one specified as argument.
98
99       -p, --proto PROTO
100              Specify layer four (TCP, UDP, ...) protocol.
101
102       -f, --family PROTO
103              Specify layer three (ipv4, ipv6) protocol This  option  is  only
104              required in conjunction with "-L, --dump". If this option is not
105              passed, the default layer 3 protocol will be IPv4.
106
107       -t, --timeout TIMEOUT
108              Specify the timeout.
109
110       -u, --status [ASSURED|SEEN_REPLY|UNSET|SRC_NAT|DST_NAT][,...]
111              Specify the conntrack status.
112
113       -i, --id ID
114              Specify the conntrack ID.  This option can only be used in  con‐
115              junction with "-L, --dump" to display the conntrack IDs.
116
117       --tuple-src IP_ADDRESS
118              Specify the tuple source address of an expectation.
119
120       --tuple-dst IP_ADDRESS
121              Specify the tuple destination address of an expectation.
122
123       --mask-src IP_ADDRESS
124              Specify the source address mask of an expectation.
125
126       --mask-dst IP_ADDRESS
127              Specify the destination address mask of an expectation.
128

DIAGNOSTICS

130       The  exit  code  is  0 for correct function.  Errors which appear to be
131       caused by invalid command line parameters cause an exit code of 2.  Any
132       other errors cause an exit code of 1.
133

BUGS

135       Bugs? What's this ;-)
136

SEE ALSO

138       iptables(8)
139       See http://netfilter.org/.
140

AUTHORS

142       Jay  Schulist,  Patrick McHardy, Harald Welte and Pablo Neira wrote the
143       kernel-level "ctnetlink" interface that is used by the conntrack tool.
144
145       Pablo Neira wrote the conntrack tool, Harald Welte  added  support  for
146       conntrack based accounting counters.
147
148       Man page written by Harald Welte <laforge@netfilter.org>.
149
150
151
152                                 Jun 23, 2005                     CONNTRACK(8)
Impressum