| Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 1 | This module, when combined with connection tracking, allows access to the |
| 2 | connection tracking state for this packet/connection. |
| 3 | .TP |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 4 | [\fB!\fR] \fB\-\-ctstate\fP \fIstatelist\fP |
| Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 5 | \fIstatelist\fR is a comma separated list of the connection states to match. |
| 6 | Possible states are listed below. |
| 7 | .TP |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 8 | [\fB!\fR] \fB\-\-ctproto\fP \fIl4proto\fP |
| Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 9 | Layer-4 protocol to match (by number or name) |
| 10 | .TP |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 11 | [\fB!\fR] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] |
| Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 12 | .TP |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 13 | [\fB!\fR] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP] |
| Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 14 | .TP |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 15 | [\fB!\fR] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] |
| Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 16 | .TP |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 17 | [\fB!\fR] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP] |
| Jan Engelhardt | a8ad34c | 2008-01-29 13:37:21 +0000 | [diff] [blame] | 18 | Match against original/reply source/destination address |
| 19 | .TP |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 20 | [\fB!\fR] \fB\-\-ctorigsrcport\fP \fIport\fP |
| Jan Engelhardt | a8ad34c | 2008-01-29 13:37:21 +0000 | [diff] [blame] | 21 | .TP |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 22 | [\fB!\fR] \fB\-\-ctorigdstport\fP \fIport\fP |
| Jan Engelhardt | a8ad34c | 2008-01-29 13:37:21 +0000 | [diff] [blame] | 23 | .TP |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 24 | [\fB!\fR] \fB\-\-ctreplsrcport\fP \fIport\fP |
| Jan Engelhardt | a8ad34c | 2008-01-29 13:37:21 +0000 | [diff] [blame] | 25 | .TP |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 26 | [\fB!\fR] \fB\-\-ctrepldstport\fP \fIport\fP |
| Jan Engelhardt | a8ad34c | 2008-01-29 13:37:21 +0000 | [diff] [blame] | 27 | Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key. |
| Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 28 | .TP |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 29 | [\fB!\fR] \fB\-\-ctstatus\fP \fIstatelist\fP |
| Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 30 | \fIstatuslist\fR is a comma separated list of the connection statuses to match. |
| 31 | Possible statuses are listed below. |
| 32 | .TP |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 33 | [\fB!\fR] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP] |
| Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 34 | Match remaining lifetime in seconds against given value or range of values |
| 35 | (inclusive) |
| Jan Engelhardt | a8ad34c | 2008-01-29 13:37:21 +0000 | [diff] [blame] | 36 | .TP |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 37 | \fB\-\-ctdir\fP {\fBORIGINAL\fP|\fBREPLY\fP} |
| Jan Engelhardt | a8ad34c | 2008-01-29 13:37:21 +0000 | [diff] [blame] | 38 | Match packets that are flowing in the specified direction. If this flag is not |
| 39 | specified at all, matches packets in both directions. |
| Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 40 | .PP |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 41 | States for \fB\-\-ctstate\fP: |
| Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 42 | .TP |
| 43 | \fBINVALID\fR |
| 44 | meaning that the packet is associated with no known connection |
| 45 | .TP |
| 46 | \fBNEW\fR |
| 47 | meaning that the packet has started a new connection, or otherwise associated |
| 48 | with a connection which has not seen packets in both directions, and |
| 49 | .TP |
| 50 | \fBESTABLISHED\fR |
| 51 | meaning that the packet is associated with a connection which has seen packets |
| 52 | in both directions, |
| 53 | .TP |
| 54 | \fBRELATED\fR |
| 55 | meaning that the packet is starting a new connection, but is associated with an |
| 56 | existing connection, such as an FTP data transfer, or an ICMP error. |
| 57 | .TP |
| 58 | \fBSNAT\fR |
| 59 | A virtual state, matching if the original source address differs from the reply |
| 60 | destination. |
| 61 | .TP |
| 62 | \fBDNAT\fR |
| 63 | A virtual state, matching if the original destination differs from the reply |
| 64 | source. |
| 65 | .PP |
| Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 66 | Statuses for \fB\-\-ctstatus\fP: |
| Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 67 | .TP |
| 68 | \fBNONE\fR |
| 69 | None of the below. |
| 70 | .TP |
| 71 | \fBEXPECTED\fR |
| 72 | This is an expected connection (i.e. a conntrack helper set it up) |
| 73 | .TP |
| 74 | \fBSEEN_REPLY\fR |
| 75 | Conntrack has seen packets in both directions. |
| 76 | .TP |
| 77 | \fBASSURED\fR |
| 78 | Conntrack entry should never be early-expired. |
| 79 | .TP |
| 80 | \fBCONFIRMED\fR |
| 81 | Connection is confirmed: originating packet has left box. |