conntrack - command line interface for netfilter connection tracking

Authors

       Jay  Schulist,  Patrick  McHardy,  Harald  Welte and Pablo Neira Ayuso wrote the kernel-level "ctnetlink"
       interface that is used by the conntrack tool.

       Pablo Neira Ayuso wrote and maintains the conntrack tool, Harald Welte added support for  conntrack-based
       accounting counters.

       Man page written by Harald Welte <laforge@netfilter.org> and Pablo Neira Ayuso <pablo@netfilter.org>.

                                                   Aug 9, 2019                                      CONNTRACK(8)

Bugs

       Please,  report  them  to  netfilter-devel@vger.kernel.org  or  file  a  bug  in   Netfilter's   bugzilla
       (https://bugzilla.netfilter.org).

Description

       The  conntrack  utility provides a full-featured userspace interface to the Netfilter connection tracking
       system that is intended to replace the old /proc/net/ip_conntrack interface. This tool  can  be  used  to
       search, list, inspect and maintain the connection tracking subsystem of the Linux kernel.

       Using  conntrack,  you can dump a list of all (or a filtered selection of) currently tracked connections,
       delete connections from the state table, and even add new ones.

       In addition, you can also monitor connection tracking events, e.g. show an event message (one  line)  per
       newly established connection.

Diagnostics

       The  exit  code  is  0  for  correct  function.  Errors which appear to be caused by invalid command line
       parameters cause an exit code of 2.  Any other errors cause an exit code of 1.

Examples

conntrack-L
              Show the connection tracking table in /proc/net/ip_conntrack format

       conntrack-L-oextended
              Show the connection tracking table in /proc/net/nf_conntrack format, with additional information.

       conntrack-L-oxml
              Show the connection tracking table in XML

       conntrack-L-osave
              Show the connection tracking table in conntrack syntax format

       conntrack-L-fipv6-oextended
              Only dump IPv6 connections in /proc/net/nf_conntrack format, with additional information.

       conntrack-L--src-nat
              Show source NAT connections

       conntrack-E-otimestamp
              Show connection events together with the timestamp

       conntrack-D-s1.2.3.4
              Delete all flows whose source address is 1.2.3.4

       conntrack-U-s1.2.3.4-m1
              Set connmark to 1 of all the flows whose source address is 1.2.3.4

       conntrack-L-w11-osave|seds/-w11/-w12/g|conntrack--load-file-
              Copy all entries from ct zone 11 to ct zone 12

Name

       conntrack - command line interface for netfilter connection tracking

Options

The options recognized by conntrack can be divided into several different groups.

COMMANDS
These options specify the particular operation to perform. Only one of them can be specified at any
given time.

-L--dump
List connection tracking or expectation table

-G,--get
Search for and show a particular (matching) entry in the given table.

-D,--delete
Delete an entry from the given table.

-I,--create
Create a new entry from the given table, it fails if it already exists.

-A,--add
Add a new entry from the given table.

-U,--update
Update an entry from the given table.

-E,--event
Display a real-time event log.

-F,--flush
Flush the whole given table

-C,--count
Show the table counter.

-S,--stats
Show the in-kernel connection tracking system statistics.

-R,--load-file
Load entries from a given file. To read from stdin, "-" should be specified.

PARAMETERS-z,--zero
Atomically zero counters after reading them. This option is only valid in combination with the
"-L, --dump" command options.

-o,--output[extended,xml,save,timestamp,id,ktimestamp,labels]
Display output in a certain format. With the extended output option, this tool displays the layer
3 information. With ktimestamp, it displays the in-kernel timestamp available since 2.6.38 (you
can enable it via the sysctl(8) key net.netfilter.nf_conntrack_timestamp). The labels output
option tells conntrack to show the names of connection tracking labels that might be present. The
userspace output option tells if the event has been triggered by a process.

-e,--event-mask[ALL|NEW|UPDATES|DESTROY][,...]
Set the bitmask of events that are to be generated by the in-kernel ctnetlink event code. Using
this parameter, you can reduce the event messages generated by the kernel to the types that you
are actually interested in. This option can only be used in conjunction with "-E, --event".

-b,--buffer-sizevalue
Set the Netlink socket buffer size in bytes. This option is useful if the command line tool
reports ENOBUFS errors. If you do not pass this option, the default value available at sysctl(8)
key net.core.rmem_default is used. The tool reports this problem if your process is too slow to
handle all the event messages or, in other words, if the amount of events is big enough to overrun
the socket buffer. Note that using a big buffer reduces the chances to hit ENOBUFS, however, this
results in more memory consumption. This option can only be used in conjunction with "-E,
--event".

FILTERPARAMETERS-s,--src,--orig-srcIP_ADDRESS
Match only entries whose source address in the original direction equals the one specified as
argument. Implies "--mask-src" when CIDR notation is used.

-d,--dst,--orig-dstIP_ADDRESS
Match only entries whose destination address in the original direction equals the one specified as
argument. Implies "--mask-dst" when CIDR notation is used.

-r,--reply-srcIP_ADDRESS
Match only entries whose source address in the reply direction equals the one specified as
argument.

-q,--reply-dstIP_ADDRESS
Match only entries whose destination address in the reply direction equals the one specified as
argument.

-p,--protoPROTO
Specify layer four (TCP, UDP, ...) protocol.

-f,--familyPROTO
Specify layer three (ipv4, ipv6) protocol. This option is only required in conjunction with "-L,
--dump". If this option is not passed, the default layer 3 protocol will be IPv4.

-t,--timeoutTIMEOUT
Specify the timeout.

-m,--markMARK[/MASK]
Specify the conntrack mark. Optionally, a mask value can be specified. In "--update" mode, this
mask specifies the bits that should be zeroed before XORing the MARK value into the ctmark.
Otherwise, the mask is logically ANDed with the existing mark before the comparison. In "--create"
mode, the mask is ignored.

-l,--labelLABEL
Specify a conntrack label. This option is only available in conjunction with "-L, --dump", "-E,
--event", "-U --update" or "-D --delete". Match entries whose labels include those specified as
arguments. Use multiple -l options to specify multiple labels that need to be set.

--label-addLABEL
Specify the conntrack label to add to the selected conntracks. This option is only available in
conjunction with "-I, --create", "-A, --add" or "-U, --update".

--label-del[LABEL]
Specify the conntrack label to delete from the selected conntracks. If no label is given, all
labels are deleted. This option is only available in conjunction with "-U, --update".

-c,--secmarkSECMARK
Specify the conntrack selinux security mark.

-n,--src-nat
Filter source NAT connections.

-g,--dst-nat
Filter destination NAT connections.

-j,--any-nat
Filter any NAT connections.

-w,--zone
Filter by conntrack zone. See iptables CT target for more information.

--orig-zone
Filter by conntrack zone in original direction. See iptables CT target for more information.

--reply-zone
Filter by conntrack zone in reply direction. See iptables CT target for more information.

--tuple-srcIP_ADDRESS
Specify the tuple source address of an expectation. Implies "--mask-src" when CIDR notation is
used.

--tuple-dstIP_ADDRESS
Specify the tuple destination address of an expectation. Implies "--mask-dst" when CIDR notation
is used.

--mask-srcIP_ADDRESS
Specify the source address mask. For conntracks this option is only available in conjunction with
"-L, --dump", "-E, --event", "-U --update" or "-D --delete". For expectations this option is only
available in conjunction with "-I, --create".

--mask-dstIP_ADDRESS
Specify the destination address mask. Same limitations as for "--mask-src".

PROTOCOLFILTERPARAMETERS
TCP-specific fields:

--sport,--orig-port-srcPORT
Source port in original direction

--dport,--orig-port-dstPORT
Destination port in original direction

--reply-port-srcPORT
Source port in reply direction

--reply-port-dstPORT
Destination port in reply direction

--statestate
TCP state, one of NONE, SYN_SENT, SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK,
TIME_WAIT, CLOSE or LISTEN.

UDP-specific fields:

--sport,--orig-port-srcPORT
Source port in original direction

--dport,--orig-port-dstPORT
Destination port in original direction

--reply-port-srcPORT
Source port in reply direction

--reply-port-dstPORT
Destination port in reply direction

ICMP-specific fields:

--icmp-typeTYPE
ICMP Type. Has to be specified numerically.

--icmp-codeCODE
ICMP Code. Has to be specified numerically.

--icmp-idID
ICMP Id. Has to be specified numerically (non-mandatory)

UDPlite-specific fields:

--sport,--orig-port-srcPORT
Source port in original direction

--dport,--orig-port-dstPORT
Destination port in original direction

--reply-port-srcPORT
Source port in reply direction

--reply-port-dstPORT
Destination port in reply direction

SCTP-specific fields:

--sport,--orig-port-srcPORT
Source port in original direction

--dport,--orig-port-dstPORT
Destination port in original direction

--reply-port-srcPORT
Source port in reply direction

--reply-port-dstPORT
Destination port in reply direction

--statestate
SCTP state, one of NONE, CLOSED, COOKIE_WAIT, COOKIE_ECHOED, ESTABLISHED, SHUTDOWN_SENT,
SHUTDOWN_RECD, SHUTDOWN_ACK_SENT.

--orig-vtagvalue
Verification tag (32-bits value) in the original direction

--reply-vtagvalue
Verification tag (32-bits value) in the reply direction

DCCP-specific fields (needs Linux >= 2.6.30):

--sport,--orig-port-srcPORT
Source port in original direction

--dport,--orig-port-dstPORT
Destination port in original direction

--reply-port-srcPORT
Source port in reply direction

--reply-port-dstPORT
Destination port in reply direction

--statestate
DCCP state, one of NONE, REQUEST, RESPOND, PARTOPEN, OPEN, CLOSEREQ, CLOSING, TIMEWAIT.

--role[client|server]
Role that the original conntrack tuple is tracking

GRE-specific fields:

--srckey,--orig-key-srcKEY
Source key in original direction (in hexadecimal or decimal)

--dstkey,--orig-key-dstKEY
Destination key in original direction (in hexadecimal or decimal)

--reply-key-srcKEY
Source key in reply direction (in hexadecimal or decimal)

--reply-key-dstKEY
Destination key in reply direction (in hexadecimal or decimal)

Synopsis

conntrack-L[table][options][-z]conntrack-G[table]parametersconntrack-D[table]parametersconntrack-I[table]parametersconntrack-A[table]parametersconntrack-U[table]parametersconntrack-E[table][options]conntrack-F[table]conntrack-C[table]conntrack-Sconntrack-Rfile

Tables

The connection tracking subsystem maintains several internal tables:

conntrack:
This is the default table. It contains a list of all currently tracked connections through the
system. If you don't use connection tracking exemptions (NOTRACK iptables target), this means all
connections that go through the system.

expect:
This is the table of expectations. Connection tracking expectations are the mechanism used to
"expect" RELATED connections to existing ones. Expectations are generally used by "connection
tracking helpers" (sometimes called application level gateways [ALGs]) for more complex protocols
such as FTP, SIP or H.323.

dying: This table shows the conntrack entries, that have expired and that have been destroyed by the
connection tracking system itself, or via the conntrack utility.

unconfirmed:
This table shows new entries, that are not yet inserted into the conntrack table. These entries
are attached to packets that are traversing the stack, but did not reach the confirmation point at
the postrouting hook.

The tables "dying" and "unconfirmed" are basically only useful for debugging purposes. Under
normal operation, it is hard to see entries in any of them. There are corner cases, where it is
valid to see entries in the unconfirmed table, eg. when packets that are enqueued via nfqueue, and
the dying table, eg. when conntrackd(8) runs in event reliable mode.