| .TH CONNTRACK 8 "Aug 24, 2015" "" "" |
| |
| .\" Man page written by Harald Welte <laforge@netfilter.org (Jun 2005) |
| .\" Maintained by Pablo Neira Ayuso <pablo@netfilter.org (May 2007) |
| |
| .SH NAME |
| conntrack \- command line interface for netfilter connection tracking |
| .SH SYNOPSIS |
| .BR "conntrack -L [table] [options] [-z]" |
| .br |
| .BR "conntrack -G [table] parameters" |
| .br |
| .BR "conntrack -D [table] parameters" |
| .br |
| .BR "conntrack -I [table] parameters" |
| .br |
| .BR "conntrack -U [table] parameters" |
| .br |
| .BR "conntrack -E [table] [options]" |
| .br |
| .BR "conntrack -F [table]" |
| .br |
| .BR "conntrack -C [table]" |
| .br |
| .BR "conntrack -S " |
| .SH DESCRIPTION |
| .B conntrack |
| provides a full featured userspace interface to the netfilter connection tracking system that is intended to replace the old /proc/net/ip_conntrack interface. This tool can be used to search, list, inspect and maintain the connection tracking subsystem of the Linux kernel. |
| Using |
| .B conntrack |
| , you can dump a list of all (or a filtered selection of) currently tracked |
| connections, delete connections from the state table, and even add new ones. |
| .PP |
| In addition, you can also monitor connection tracking events, e.g. show an |
| event message (one line) per newly established connection. |
| .SH TABLES |
| The connection tracking subsystem maintains two internal tables: |
| .TP |
| .BR "conntrack" : |
| This is the default table. It contains a list of all currently tracked |
| connections through the system. If you don't use connection tracking |
| exemptions (NOTRACK iptables target), this means all connections that go |
| through the system. |
| .TP |
| .BR "expect" : |
| This is the table of expectations. Connection tracking expectations are the |
| mechanism used to "expect" RELATED connections to existing ones. Expectations |
| are generally used by "connection tracking helpers" (sometimes called |
| application level gateways [ALGs]) for more complex protocols such as FTP, |
| SIP, H.323. |
| .TP |
| .BR "dying" : |
| This table shows the conntrack entries, that have expired and that have been |
| destroyed by the connection tracking system itself, or via the conntrack utility. |
| .TP |
| .BR "unconfirmed" : |
| This table shows new entries, that are not yet inserted into the conntrack table. |
| These entries are attached to packets that are traversing the stack, |
| but did not reach the confirmation point at the postrouting hook. |
| .PP |
| The tables "dying" and "unconfirmed" are basically only useful for debugging purposes. |
| Under normal operation, it is hard to see entries in any of them. |
| There are corner cases, where it is valid to see entries in the |
| unconfirmed table, eg. when packets that are enqueued via nfqueue, and |
| the dying table, eg. when conntrackd runs in event reliable mode. |
| .PP |
| .SH OPTIONS |
| The options recognized by |
| .B conntrack |
| can be divided into several different groups. |
| .SS COMMANDS |
| These options specify the particular operation to perform. Only one of them |
| can be specified at any given time. |
| .TP |
| .BI "-L --dump " |
| List connection tracking or expectation table |
| .TP |
| .BI "-G, --get " |
| Search for and show a particular (matching) entry in the given table. |
| .TP |
| .BI "-D, --delete " |
| Delete an entry from the given table. |
| .TP |
| .BI "-I, --create " |
| Create a new entry from the given table. |
| .TP |
| .BI "-U, --update " |
| Update an entry from the given table. |
| .TP |
| .BI "-E, --event " |
| Display a real-time event log. |
| .TP |
| .BI "-F, --flush " |
| Flush the whole given table |
| .TP |
| .BI "-C, --count " |
| Show the table counter. |
| .TP |
| .BI "-S, --stats " |
| Show the in-kernel connection tracking system statistics. |
| .SS PARAMETERS |
| .TP |
| .BI "-z, --zero " |
| Atomically zero counters after reading them. This option is only valid in |
| combination with the "\-L, \-\-dump" command options. |
| .TP |
| .BI "-o, --output [extended,xml,timestamp,id,ktimestamp,labels] " |
| Display output in a certain format. With the extended output option, this tool |
| displays the layer 3 information. With ktimestamp, it displays the in-kernel |
| timestamp available since 2.6.38 (you can enable it via echo 1 > |
| /proc/sys/net/netfilter/nf_conntrack_timestamp). |
| The labels output option tells conntrack to show the names of connection |
| tracking labels that might be present. |
| .TP |
| .BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]" |
| Set the bitmask of events that are to be generated by the in-kernel ctnetlink |
| event code. Using this parameter, you can reduce the event messages generated |
| by the kernel to those types to those that you are actually interested in. |
| . |
| This option can only be used in conjunction with "\-E, \-\-event". |
| .TP |
| .BI "-b, --buffer-size " "value (in bytes)" |
| Set the Netlink socket buffer size. This option is useful if the command line |
| tool reports ENOBUFS errors. If you do not pass this option, the default value |
| available at /proc/sys/net/core/rmem_default is used. The tool reports this |
| problem if your process is too slow to handle all the event messages or, in |
| other words, if the amount of events are big enough to overrun the socket |
| buffer. Note that using a big buffer reduces the chances to hit ENOBUFS, |
| however, this results in more memory consumption. |
| . |
| This option can only be used in conjunction with "\-E, \-\-event". |
| .SS FILTER PARAMETERS |
| .TP |
| .BI "-s, --src, --orig-src " IP_ADDRESS |
| Match only entries whose source address in the original direction equals the one specified as argument. |
| Implies "--mask-src" when CIDR notation is used. |
| .TP |
| .BI "-d, --dst, --orig-dst " IP_ADDRESS |
| Match only entries whose destination address in the original direction equals the one specified as argument. |
| Implies "--mask-dst" when CIDR notation is used. |
| .TP |
| .BI "-r, --reply-src " IP_ADDRESS |
| Match only entries whose source address in the reply direction equals the one specified as argument. |
| .TP |
| .BI "-q, --reply-dst " IP_ADDRESS |
| Match only entries whose destination address in the reply direction equals the one specified as argument. |
| .TP |
| .BI "-p, --proto " "PROTO " |
| Specify layer four (TCP, UDP, ...) protocol. |
| .TP |
| .BI "-f, --family " "PROTO" |
| Specify layer three (ipv4, ipv6) protocol |
| This option is only required in conjunction with "\-L, \-\-dump". If this option is not passed, the default layer 3 protocol will be IPv4. |
| .TP |
| .BI "-t, --timeout " "TIMEOUT" |
| Specify the timeout. |
| .TP |
| .BI "-m, --mark " "MARK[/MASK]" |
| Specify the conntrack mark. Optionally, a mask value can be specified. |
| In "\-\-update" mode, this mask specifies the bits that should be zeroed before XORing |
| the MARK value into the ctmark. |
| Otherwise, the mask is logically ANDed with the existing mark before the comparision. |
| In "\-\-create" mode, the mask is ignored. |
| .TP |
| .BI "-l, --label " "LABEL" |
| Specify a conntrack label. |
| This option is only available in conjunction with "\-L, \-\-dump", "\-E, \-\-event", "\-U \-\-update" or "\-D \-\-delete". |
| Match entries whose labels match at least those specified. |
| Use multiple \-l commands to specify multiple labels that need to be set. |
| Match entries whose labels matches at least those specified as arguments. |
| .BI "--label-add " "LABEL" |
| Specify the conntrack label to add to to the selected conntracks. |
| This option is only available in conjunction with "\-I, \-\-create" or "\-U, \-\-update". |
| .BI "--label-del " "[LABEL]" |
| Specify the conntrack label to delete from the selected conntracks. |
| If no label is given, all labels are deleted. |
| This option is only available in conjunction with "\-U, \-\-update". |
| .TP |
| .BI "-c, --secmark " "SECMARK" |
| Specify the conntrack selinux security mark. |
| .TP |
| .BI "-u, --status " "[ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|UNSET][,...]" |
| Specify the conntrack status. |
| .TP |
| .BI "-n, --src-nat " |
| Filter source NAT connections. |
| .TP |
| .BI "-g, --dst-nat " |
| Filter destination NAT connections. |
| .TP |
| .BI "-j, --any-nat " |
| Filter any NAT connections. |
| .TP |
| .BI "-w, --zone " |
| Filter by conntrack zone. See iptables CT target for more information. |
| .TP |
| .BI "--orig-zone " |
| Filter by conntrack zone in original direction. |
| See iptables CT target for more information. |
| .TP |
| .BI "--reply-zone " |
| Filter by conntrack zone in reply direction. |
| See iptables CT target for more information. |
| .TP |
| .BI "--tuple-src " IP_ADDRESS |
| Specify the tuple source address of an expectation. |
| Implies "--mask-src" when CIDR notation is used. |
| .TP |
| .BI "--tuple-dst " IP_ADDRESS |
| Specify the tuple destination address of an expectation. |
| Implies "--mask-dst" when CIDR notation is used. |
| .TP |
| .BI "--mask-src " IP_ADDRESS |
| Specify the source address mask. |
| For conntrack this option is only available in conjunction with "\-L, \-\-dump", "\-E, \-\-event", "\-U \-\-update" or "\-D \-\-delete". |
| For expectations this option is only available in conjunction with "\-I, \-\-create". |
| .TP |
| .BI "--mask-dst " IP_ADDRESS |
| Specify the destination address mask. |
| Same limitations as for "--mask-src". |
| .SS PROTOCOL FILTER PARAMETERS |
| .TP |
| TCP-specific fields: |
| .TP |
| .BI "--sport, --orig-port-src " "PORT" |
| Source port in original direction |
| .TP |
| .BI "--dport, --orig-port-dst " "PORT" |
| Destination port in original direction |
| .TP |
| .BI "--reply-port-src " "PORT" |
| Source port in reply direction |
| .TP |
| .BI "--reply-port-dst " "PORT" |
| Destination port in reply direction |
| .TP |
| .BI "--state " "[NONE | SYN_SENT | SYN_RECV | ESTABLISHED | FIN_WAIT | CLOSE_WAIT | LAST_ACK | TIME_WAIT | CLOSE | LISTEN]" |
| TCP state |
| .TP |
| UDP-specific fields: |
| .TP |
| .BI "--sport, --orig-port-src " "PORT" |
| Source port in original direction |
| .TP |
| .BI "--dport, --orig-port-dst " "PORT" |
| Destination port in original direction |
| .TP |
| .BI "--reply-port-src " "PORT" |
| Source port in reply direction |
| .TP |
| .BI "--reply-port-dst " "PORT" |
| Destination port in reply direction |
| .TP |
| ICMP-specific fields: |
| .TP |
| .BI "--icmp-type " "TYPE" |
| ICMP Type. Has to be specified numerically. |
| .TP |
| .BI "--icmp-code " "CODE" |
| ICMP Code. Has to be specified numerically. |
| .TP |
| .BI "--icmp-id " "ID" |
| ICMP Id. Has to be specified numerically (non-mandatory) |
| .TP |
| UDPlite-specific fields: |
| .TP |
| .BI "--sport, --orig-port-src " "PORT" |
| Source port in original direction |
| .TP |
| .BI "--dport, --orig-port-dst " "PORT" |
| Destination port in original direction |
| .TP |
| .BI "--reply-port-src " "PORT" |
| Source port in reply direction |
| .TP |
| .BI "--reply-port-dst " "PORT" |
| Destination port in reply direction |
| .TP |
| SCTP-specific fields: |
| .TP |
| .BI "--sport, --orig-port-src " "PORT" |
| Source port in original direction |
| .TP |
| .BI "--dport, --orig-port-dst " "PORT" |
| Destination port in original direction |
| .TP |
| .BI "--reply-port-src " "PORT" |
| Source port in reply direction |
| .TP |
| .BI "--reply-port-dst " "PORT" |
| Destination port in reply direction |
| .TP |
| .BI "--state " "[NONE | CLOSED | COOKIE_WAIT | COOKIE_ECHOED | ESTABLISHED | SHUTDOWN_SENT | SHUTDOWN_RECD | SHUTDOWN_ACK_SENT]" |
| SCTP state |
| .TP |
| .BI "--orig-vtag " "value" |
| Verification tag (32-bits value) in the original direction |
| .TP |
| .BI "--reply-vtag " "value" |
| Verification tag (32-bits value) in the reply direction |
| .TP |
| DCCP-specific fields (needs Linux >= 2.6.30): |
| .TP |
| .BI "--sport, --orig-port-src " "PORT" |
| Source port in original direction |
| .TP |
| .BI "--dport, --orig-port-dst " "PORT" |
| Destination port in original direction |
| .TP |
| .BI "--reply-port-src " "PORT" |
| Source port in reply direction |
| .TP |
| .BI "--reply-port-dst " "PORT" |
| Destination port in reply direction |
| .TP |
| .BI "--state " "[NONE | REQUEST | RESPOND | PARTOPEN | OPEN | CLOSEREQ | CLOSING | TIMEWAIT]" |
| DCCP state |
| .BI "--role " "[client | server]" |
| Role that the original conntrack tuple is tracking |
| .TP |
| GRE-specific fields: |
| .TP |
| .BI "--srckey, --orig-key-src " "KEY" |
| Source key in original direction (in hexadecimal or decimal) |
| .TP |
| .BI "--dstkey, --orig-key-dst " "KEY" |
| Destination key in original direction (in hexadecimal or decimal) |
| .TP |
| .BI "--reply-key-src " "KEY" |
| Source key in reply direction (in hexadecimal or decimal) |
| .TP |
| .BI "--reply-key-dst " "KEY" |
| Destination key in reply direction (in hexadecimal or decimal) |
| .TP |
| .SH DIAGNOSTICS |
| The exit code is 0 for correct function. Errors which appear to be caused by |
| invalid command line parameters cause an exit code of 2. Any other errors |
| cause an exit code of 1. |
| .SH EXAMPLES |
| .TP |
| .B conntrack \-L |
| Show the connection tracking table in /proc/net/ip_conntrack format |
| .TP |
| .B conntrack \-L -o extended |
| Show the connection tracking table in /proc/net/nf_conntrack format |
| .TP |
| .B conntrack \-L \-o xml |
| Show the connection tracking table in XML |
| .TP |
| .B conntrack \-L -f ipv6 -o extended |
| Only dump IPv6 connections in /proc/net/nf_conntrack format |
| .TP |
| .B conntrack \-L --src-nat |
| Show source NAT connections |
| .TP |
| .B conntrack \-E \-o timestamp |
| Show connection events together with the timestamp |
| .TP |
| .B conntrack \-D \-s 1.2.3.4 |
| Delete all flow whose source address is 1.2.3.4 |
| .TP |
| .B conntrack \-U \-s 1.2.3.4 \-m 1 |
| Set connmark to 1 of all the flows whose source address is 1.2.3.4 |
| .SH BUGS |
| Please, report them to netfilter-devel@vger.kernel.org or file a bug in |
| Netfilter's bugzilla (https://bugzilla.netfilter.org). |
| .SH SEE ALSO |
| .BR iptables (8) |
| .br |
| See |
| .BR "http://conntrack-tools.netfilter.org" |
| .SH AUTHORS |
| Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote the kernel-level "ctnetlink" interface that is used by the conntrack tool. |
| .PP |
| Pablo Neira Ayuso wrote and maintain the conntrack tool, Harald Welte added support for conntrack based accounting counters. |
| .PP |
| Man page written by Harald Welte <laforge@netfilter.org> and Pablo Neira Ayuso <pablo@netfilter.org>. |