Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 1 | This module, when combined with connection tracking, allows access to the |
| 2 | connection tracking state for this packet/connection. |
| 3 | .TP |
| 4 | [\fB!\fR] \fB--ctstate\fR \fIstatelist\fR |
| 5 | \fIstatelist\fR is a comma separated list of the connection states to match. |
| 6 | Possible states are listed below. |
| 7 | .TP |
| 8 | [\fB!\fR] \fB--ctproto\fR \fIl4proto\fR |
| 9 | Layer-4 protocol to match (by number or name) |
| 10 | .TP |
| 11 | [\fB!\fR] \fB--ctorigsrc\fR \fIaddress\fR[\fB/\fR\fImask\fR] |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 12 | .TP |
| 13 | [\fB!\fR] \fB--ctorigdst\fR \fIaddress\fR[\fB/\fR\fImask\fR] |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 14 | .TP |
| 15 | [\fB!\fR] \fB--ctreplsrc\fR \fIaddress\fR[\fB/\fR\fImask\fR] |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 16 | .TP |
| 17 | [\fB!\fR] \fB--ctrepldst\fR \fIaddress\fR[\fB/\fR\fImask\fR] |
Jan Engelhardt | a8ad34c | 2008-01-29 13:37:21 +0000 | [diff] [blame] | 18 | Match against original/reply source/destination address |
| 19 | .TP |
| 20 | [\fB!\fR] \fB--ctorigsrcport\fR \fIport\fR |
| 21 | .TP |
| 22 | [\fB!\fR] \fB--ctorigdstport\fR \fIport\fR |
| 23 | .TP |
| 24 | [\fB!\fR] \fB--ctreplsrcport\fR \fIport\fR |
| 25 | .TP |
| 26 | [\fB!\fR] \fB--ctrepldstport\fR \fIport\fR |
| 27 | Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key. |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 28 | .TP |
| 29 | [\fB!\fR] \fB--ctstatus\fR \fIstatelist\fR |
| 30 | \fIstatuslist\fR is a comma separated list of the connection statuses to match. |
| 31 | Possible statuses are listed below. |
| 32 | .TP |
| 33 | [\fB!\fR] \fB--ctexpire\fR \fItime\fR[\fB:\fR\fItime\fR] |
| 34 | Match remaining lifetime in seconds against given value or range of values |
| 35 | (inclusive) |
Jan Engelhardt | a8ad34c | 2008-01-29 13:37:21 +0000 | [diff] [blame] | 36 | .TP |
| 37 | \fB--ctdir\fR {\fBORIGINAL\fR|\fBREPLY\fR} |
| 38 | Match packets that are flowing in the specified direction. If this flag is not |
| 39 | specified at all, matches packets in both directions. |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 40 | .PP |
| 41 | States for \fB--ctstate\fR: |
| 42 | .TP |
| 43 | \fBINVALID\fR |
| 44 | meaning that the packet is associated with no known connection |
| 45 | .TP |
| 46 | \fBNEW\fR |
| 47 | meaning that the packet has started a new connection, or otherwise associated |
| 48 | with a connection which has not seen packets in both directions, and |
| 49 | .TP |
| 50 | \fBESTABLISHED\fR |
| 51 | meaning that the packet is associated with a connection which has seen packets |
| 52 | in both directions, |
| 53 | .TP |
| 54 | \fBRELATED\fR |
| 55 | meaning that the packet is starting a new connection, but is associated with an |
| 56 | existing connection, such as an FTP data transfer, or an ICMP error. |
| 57 | .TP |
| 58 | \fBSNAT\fR |
| 59 | A virtual state, matching if the original source address differs from the reply |
| 60 | destination. |
| 61 | .TP |
| 62 | \fBDNAT\fR |
| 63 | A virtual state, matching if the original destination differs from the reply |
| 64 | source. |
| 65 | .PP |
| 66 | Statuses for \fB--ctstatus\fR: |
| 67 | .TP |
| 68 | \fBNONE\fR |
| 69 | None of the below. |
| 70 | .TP |
| 71 | \fBEXPECTED\fR |
| 72 | This is an expected connection (i.e. a conntrack helper set it up) |
| 73 | .TP |
| 74 | \fBSEEN_REPLY\fR |
| 75 | Conntrack has seen packets in both directions. |
| 76 | .TP |
| 77 | \fBASSURED\fR |
| 78 | Conntrack entry should never be early-expired. |
| 79 | .TP |
| 80 | \fBCONFIRMED\fR |
| 81 | Connection is confirmed: originating packet has left box. |