NAME¶
conntrack - command line interface for netfilter connection tracking
SYNOPSIS¶
conntrack -L [table] [options] [-z]
conntrack -G [table] parameters
conntrack -D [table] parameters
conntrack -I [table] parameters
conntrack -U [table] parameters
conntrack -E [table] [options]
conntrack -F [table]
conntrack -C [table]
conntrack -S
DESCRIPTION¶
conntrack provides a full featured userspace interface to the netfilter
connection tracking system that is intended to replace the old
/proc/net/ip_conntrack interface. This tool can be used to search, list,
inspect and maintain the connection tracking subsystem of the Linux kernel.
Using
conntrack , you can dump a list of all (or a filtered selection
of) currently tracked connections, delete connections from the state table,
and even add new ones.
In addition, you can also monitor connection tracking events, e.g. show an event
message (one line) per newly established connection.
TABLES¶
The connection tracking subsystem maintains two internal tables:
- conntrack:
- This is the default table. It contains a list of all
currently tracked connections through the system. If you don't use
connection tracking exemptions (NOTRACK iptables target), this means all
connections that go through the system.
- expect:
- This is the table of expectations. Connection tracking
expectations are the mechanism used to "expect" RELATED
connections to existing ones. Expectations are generally used by
"connection tracking helpers" (sometimes called application
level gateways [ALGs]) for more complex protocols such as FTP, SIP,
H.323.
OPTIONS¶
The options recognized by
conntrack can be divided into several different
groups.
COMMANDS¶
These options specify the particular operation to perform. Only one of them can
be specified at any given time.
- -L --dump
- List connection tracking or expectation table
- -G, --get
- Search for and show a particular (matching) entry in the
given table.
- -D, --delete
- Delete an entry from the given table.
- -I, --create
- Create a new entry from the given table.
- -U, --update
- Update an entry from the given table.
- -E, --event
- Display a real-time event log.
- -F, --flush
- Flush the whole given table
- -C, --count
- Show the table counter.
- -S, --stats
- Show the in-kernel connection tracking system
statistics.
PARAMETERS¶
- -z, --zero
- Atomically zero counters after reading them. This option is
only valid in combination with the "-L, --dump" command
options.
- -o, --output [extended,xml,timestamp,id,ktimestamp]
- Display output in a certain format. With the extended
output option, this tool displays the layer 3 information. With
ktimestamp, it displays the in-kernel timestamp available since 2.6.38
(you can enable it via echo 1 >
/proc/sys/net/netfilter/nf_conntrack_timestamp).
- -e, --event-mask
[ALL|NEW|UPDATES|DESTROY][,...]
- Set the bitmask of events that are to be generated by the
in-kernel ctnetlink event code. Using this parameter, you can reduce the
event messages generated by the kernel to those types to those that you
are actually interested in. This option can only be used in conjunction
with "-E, --event".
- -b, --buffer-size value (in bytes)
- Set the Netlink socket buffer size. This option is useful
if the command line tool reports ENOBUFS errors. If you do not pass this
option, the default value available at /proc/sys/net/core/rmem_default is
used. The tool reports this problem if your process is too slow to handle
all the event messages or, in other words, if the amount of events are big
enough to overrun the socket buffer. Note that using a big buffer reduces
the chances to hit ENOBUFS, however, this results in more memory
consumption. This option can only be used in conjunction with "-E,
--event".
FILTER PARAMETERS¶
- -s, --orig-src IP_ADDRESS
- Match only entries whose source address in the original
direction equals the one specified as argument.
- -d, --orig-dst IP_ADDRESS
- Match only entries whose destination address in the
original direction equals the one specified as argument.
- -r, --reply-src IP_ADDRESS
- Match only entries whose source address in the reply
direction equals the one specified as argument.
- -q, --reply-dst IP_ADDRESS
- Match only entries whose destination address in the reply
direction equals the one specified as argument.
- -p, --proto PROTO
- Specify layer four (TCP, UDP, ...) protocol.
- -f, --family PROTO
- Specify layer three (ipv4, ipv6) protocol This option is
only required in conjunction with "-L, --dump". If this option
is not passed, the default layer 3 protocol will be IPv4.
- -t, --timeout TIMEOUT
- Specify the timeout.
- -m, --mark MARK[/MASK]
- Specify the conntrack mark. Optionally, a mask value can be
specified. In "--update" mode, this mask specifies the bits that
should be zeroed before XORing the MARK value into the ctmark. Otherwise,
the mask is logically ANDed with the existing mark before the comparision.
In "--create" mode, the mask is ignored.
- -c, --secmark SECMARK
- Specify the conntrack selinux security mark.
- -u, --status
[ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|UNSET][,...]
- Specify the conntrack status.
- -n, --src-nat
- Filter source NAT connections.
- -g, --dst-nat
- Filter destination NAT connections.
- -j, --any-nat
- Filter any NAT connections.
- -w, --zone
- Filter by conntrack zone. See iptables CT target for more
information.
- --tuple-src IP_ADDRESS
- Specify the tuple source address of an expectation.
- --tuple-dst IP_ADDRESS
- Specify the tuple destination address of an
expectation.
- --mask-src IP_ADDRESS
- Specify the source address mask of an expectation.
- --mask-dst IP_ADDRESS
- Specify the destination address mask of an
expectation.
PROTOCOL FILTER PARAMETERS¶
- TCP-specific fields:
- --sport, --orig-port-src PORT
- Source port in original direction
- --dport, --orig-port-dst PORT
- Destination port in original direction
- --reply-port-src PORT
- Source port in reply direction
- --reply-port-dst PORT
- Destination port in reply direction
- --state [NONE | SYN_SENT | SYN_RECV | ESTABLISHED
| FIN_WAIT | CLOSE_WAIT | LAST_ACK | TIME_WAIT | CLOSE | LISTEN]
- TCP state
- UDP-specific fields:
- --sport, --orig-port-src PORT
- Source port in original direction
- --dport, --orig-port-dst PORT
- Destination port in original direction
- --reply-port-src PORT
- Source port in reply direction
- --reply-port-dst PORT
- Destination port in reply direction
- ICMP-specific fields:
- --icmp-type TYPE
- ICMP Type. Has to be specified numerically.
- --icmp-code CODE
- ICMP Code. Has to be specified numerically.
- --icmp-id ID
- ICMP Id. Has to be specified numerically
(non-mandatory)
- UDPlite-specific fields:
- --sport, --orig-port-src PORT
- Source port in original direction
- --dport, --orig-port-dst PORT
- Destination port in original direction
- --reply-port-src PORT
- Source port in reply direction
- --reply-port-dst PORT
- Destination port in reply direction
- SCTP-specific fields:
- --sport, --orig-port-src PORT
- Source port in original direction
- --dport, --orig-port-dst PORT
- Destination port in original direction
- --reply-port-src PORT
- Source port in reply direction
- --reply-port-dst PORT
- Destination port in reply direction
- --state [NONE | CLOSED | COOKIE_WAIT |
COOKIE_ECHOED | ESTABLISHED | SHUTDOWN_SENT | SHUTDOWN_RECD |
SHUTDOWN_ACK_SENT]
- SCTP state
- --orig-vtag value
- Verification tag (32-bits value) in the original
direction
- --reply-vtag value
- Verification tag (32-bits value) in the reply
direction
- DCCP-specific fields (needs Linux >= 2.6.30):
- --sport, --orig-port-src PORT
- Source port in original direction
- --dport, --orig-port-dst PORT
- Destination port in original direction
- --reply-port-src PORT
- Source port in reply direction
- --reply-port-dst PORT
- Destination port in reply direction
- --state [NONE | REQUEST | RESPOND | PARTOPEN |
OPEN | CLOSEREQ | CLOSING | TIMEWAIT]
- DCCP state --role [client | server] Role that
the original conntrack tuple is tracking
- GRE-specific fields:
- --srckey, --orig-key-src KEY
- Source key in original direction (in hexadecimal or
decimal)
- --dstkey, --orig-key-dst KEY
- Destination key in original direction (in hexadecimal or
decimal)
- --reply-key-src KEY
- Source key in reply direction (in hexadecimal or
decimal)
- --reply-key-dst KEY
- Destination key in reply direction (in hexadecimal or
decimal)
DIAGNOSTICS¶
The exit code is 0 for correct function. Errors which appear to be caused by
invalid command line parameters cause an exit code of 2. Any other errors
cause an exit code of 1.
EXAMPLES¶
- conntrack -L
- Show the connection tracking table in
/proc/net/ip_conntrack format
- conntrack -L -o extended
- Show the connection tracking table in
/proc/net/nf_conntrack format
- conntrack -L -o xml
- Show the connection tracking table in XML
- conntrack -L -f ipv6 -o extended
- Only dump IPv6 connections in /proc/net/nf_conntrack
format
- conntrack -L --src-nat
- Show source NAT connections
- conntrack -E -o timestamp
- Show connection events together with the timestamp
- conntrack -D -s 1.2.3.4
- Delete all flow whose source address is 1.2.3.4
- conntrack -U -s 1.2.3.4 -m 1
- Set connmark to 1 of all the flows whose source address is
1.2.3.4
BUGS¶
Please, report them to netfilter-devel@vger.kernel.org or file a bug in
Netfilter's bugzilla (
https://bugzilla.netfilter.org).
SEE ALSO¶
iptables(8)
See
http://conntrack-tools.netfilter.org
AUTHORS¶
Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote the
kernel-level "ctnetlink" interface that is used by the conntrack
tool.
Pablo Neira Ayuso wrote and maintain the conntrack tool, Harald Welte added
support for conntrack based accounting counters.
Man page written by Harald Welte <laforge@netfilter.org> and Pablo Neira
Ayuso <pablo@netfilter.org>.
