CONNTRACK

Section: (8)
Updated: May 6, 2007
 

NAME

conntrack - command line interface for netfilter connection tracking  

SYNOPSIS

conntrack -L [table] [-z]
conntrack -G [table] parameters
conntrack -D [table] paramaters
conntrack -I [table] parameters
conntrack -E [table] parameters
conntrack -F [table]  

DESCRIPTION

conntrack provides a full featured userspace interface to the netfilter connection tracking system that is intended to replace the old /proc/net/ip_conntrack interface. This tool can be used to search, list, inspect and maintain the connection tracking subsystem of the Linux kernel. Using conntrack , you can dump a list of all (or a filtered selection of) currently tracked connections, delete connections from the state table, and even add new ones.

In addition, you can also monitor connection tracking events, e.g. show an event message (one line) per newly established connection.  

TABLES

The connection tracking subsystem maintains two internal tables:
conntrack:
This is the default table. It contains a list of all currently tracked connections through the system. If you don't use connection tracking exemptions (NOTRACK iptables target), this means all connections that go through the system.
expect:
This is the table of expectations. Connection tracking expectations are the mechanism used to "expect" RELATED connections to existing ones. Expectations are generally used by "connection tracking helpers" (sometimes called application level gateways [ALGs]) for more complex protocols such as FTP, SIP, H.323.
 

OPTIONS

The options recognized by conntrack can be divided into several different groups.  

COMMANDS

These options specify the particular operation to perform. Only one of them can be specified at any given time.
-L --dump
List connection tacking or expectation table
-G, --get
Search for and show a particular (matching) entry in the given table.
-D, --delete
Delete an entry from the given table.
-I, --create
Create a new entry from the given table.
-E, --event
Display a real-time event log.
-F, --flush
Flush the whole given table
 

PARAMETERS

-z, --zero
Atomically zero counters after reading them. This option is only valid in combination with the "-L, --dump" command options.
-o, --output [extended,xml,timestamp]
Display output in a certain format. This option is only valid in combination with the "-L, --dump", "-E, --event" and "-G, --get" command options.
-e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]
Set the bitmask of events that are to be generated by the in-kernel ctnetlink event code. Using this parameter, you can reduce the event messages generated by the kernel to those types to those that you are actually interested in. This option can only be used in conjunction with "-E, --event".
 

FILTER PARAMETERS

-s, --orig-src IP_ADDRESS
Match only entries whose source address in the original direction equals the one specified as argument.
-d, --orig-dst IP_ADDRESS
Match only entries whose destination address in the original direction equals the one specified as argument.
-r, --reply-src IP_ADDRESS
Match only entries whose source address in the reply direction equals the one specified as argument.
-q, --reply-dst IP_ADDRESS
Match only entries whose destination address in the reply direction equals the one specified as argument.
-p, --proto PROTO
Specify layer four (TCP, UDP, ...) protocol.
-f, --family PROTO
Specify layer three (ipv4, ipv6) protocol This option is only required in conjunction with "-L, --dump". If this option is not passed, the default layer 3 protocol will be IPv4.
-t, --timeout TIMEOUT
Specify the timeout. -m, --mark MARK Specify the conntrack mark.
-c, --secmark SECMARK
Specify the conntrack selinux security mark.
-u, --status [ASSURED|SEEN_REPLY|UNSET][,...]
Specify the conntrack status.
-n, --src-nat
Filter source NAT connections.
-g, --dst-nat
Filter destination NAT connections.
--tuple-src IP_ADDRESS
Specify the tuple source address of an expectation.
--tuple-dst IP_ADDRESS
Specify the tuple destination address of an expectation.
--mask-src IP_ADDRESS
Specify the source address mask of an expectation.
--mask-dst IP_ADDRESS
Specify the destination address mask of an expectation.
 

PROTOCOL FILTER PARAMETERS

TCP-specific fields:
--orig-port-src PORT
Source port in original direction
--orig-port-dst PORT
Destination port in original direction
--reply-port-src PORT
Source port in reply direction
--reply-port-dst PORT
Destination port in reply direction
--state [NONE | SYN_SENT | SYN_RECV | ESTABLISHED | FIN_WAIT | CLOSE_WAIT | LAST_ACK | TIME_WAIT | CLOSE | LISTEN]
TCP state
UDP-specific fields:
--orig-port-src PORT
Source port in original direction
--orig-port-dst PORT
Destination port in original direction
--reply-port-src PORT
Source port in reply direction
--reply-port-dst PORT
Destination port in reply direction
ICMP-specific fields:
--icmp-type TYPE
ICMP Type. Has to be specified numerically.
--icmp-code CODE
ICMP Code. Has to be specified numerically.
--icmp-id ID
ICMP Id. Has to be specified numerically (non-mandatory)
 

DIAGNOSTICS

The exit code is 0 for correct function. Errors which appear to be caused by invalid command line parameters cause an exit code of 2. Any other errors cause an exit code of 1.  

EXAMPLES

conntrack -L
Dump the connection tracking table in /proc/net/ip_conntrack format
conntrack -L -o extended
Dump the connection tracking table in /proc/net/nf_conntrack format
conntrack -L -o xml
Dump the connection tracking table in XML
conntrack -L -f ipv6 -o extended
Only dump IPv6 connections in /proc/net/nf_conntrack format
conntrack -L --src-nat
Dump source NAT connections
conntrack -E -o timestamp
Show connection events together with the timestamp
 

BUGS

Bugs? What's this ;-)  

SEE ALSO

conntrackd(8),iptables(8)
See http://netfilter.org/.  

AUTHORS

Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira wrote the kernel-level "ctnetlink" interface that is used by the conntrack tool.

Pablo Neira wrote the conntrack tool, Harald Welte added support for conntrack based accounting counters.

Man page written by Harald Welte <laforge@netfilter.org> and Pablo Neira Ayuso <pablo@netfilter.org>.


 

Index

NAME
SYNOPSIS
DESCRIPTION
TABLES
OPTIONS
COMMANDS
PARAMETERS
FILTER PARAMETERS
PROTOCOL FILTER PARAMETERS
DIAGNOSTICS
EXAMPLES
BUGS
SEE ALSO
AUTHORS

This document was created by man2html, using the manual pages.
Time: 12:38:23 GMT, December 28, 2007