Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 1 | This module, when combined with connection tracking, allows access to the |
| 2 | connection tracking state for this packet/connection. |
| 3 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 4 | [\fB!\fP] \fB\-\-ctstate\fP \fIstatelist\fP |
| 5 | \fIstatelist\fP is a comma separated list of the connection states to match. |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 6 | Possible states are listed below. |
| 7 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 8 | [\fB!\fP] \fB\-\-ctproto\fP \fIl4proto\fP |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 9 | Layer-4 protocol to match (by number or name) |
| 10 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 11 | [\fB!\fP] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 12 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 13 | [\fB!\fP] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP] |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 14 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 15 | [\fB!\fP] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 16 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 17 | [\fB!\fP] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP] |
Jan Engelhardt | a8ad34c | 2008-01-29 13:37:21 +0000 | [diff] [blame] | 18 | Match against original/reply source/destination address |
| 19 | .TP |
Patrick McHardy | c8f28cc | 2011-01-20 11:45:12 +0100 | [diff] [blame] | 20 | [\fB!\fP] \fB\-\-ctorigsrcport\fP \fIport\fP[\fB:\fP\fIport\fP] |
Jan Engelhardt | a8ad34c | 2008-01-29 13:37:21 +0000 | [diff] [blame] | 21 | .TP |
Patrick McHardy | c8f28cc | 2011-01-20 11:45:12 +0100 | [diff] [blame] | 22 | [\fB!\fP] \fB\-\-ctorigdstport\fP \fIport\fP[\fB:\fP\fIport\fP] |
Jan Engelhardt | a8ad34c | 2008-01-29 13:37:21 +0000 | [diff] [blame] | 23 | .TP |
Patrick McHardy | c8f28cc | 2011-01-20 11:45:12 +0100 | [diff] [blame] | 24 | [\fB!\fP] \fB\-\-ctreplsrcport\fP \fIport\fP[\fB:\fP\fIport\fP] |
Jan Engelhardt | a8ad34c | 2008-01-29 13:37:21 +0000 | [diff] [blame] | 25 | .TP |
Patrick McHardy | c8f28cc | 2011-01-20 11:45:12 +0100 | [diff] [blame] | 26 | [\fB!\fP] \fB\-\-ctrepldstport\fP \fIport\fP[\fB:\fP\fIport\fP] |
Jan Engelhardt | a8ad34c | 2008-01-29 13:37:21 +0000 | [diff] [blame] | 27 | Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key. |
Patrick McHardy | c8f28cc | 2011-01-20 11:45:12 +0100 | [diff] [blame] | 28 | Matching against port ranges is only supported in kernel versions above 2.6.38. |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 29 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 30 | [\fB!\fP] \fB\-\-ctstatus\fP \fIstatelist\fP |
| 31 | \fIstatuslist\fP is a comma separated list of the connection statuses to match. |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 32 | Possible statuses are listed below. |
| 33 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 34 | [\fB!\fP] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP] |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 35 | Match remaining lifetime in seconds against given value or range of values |
| 36 | (inclusive) |
Jan Engelhardt | a8ad34c | 2008-01-29 13:37:21 +0000 | [diff] [blame] | 37 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 38 | \fB\-\-ctdir\fP {\fBORIGINAL\fP|\fBREPLY\fP} |
Jan Engelhardt | a8ad34c | 2008-01-29 13:37:21 +0000 | [diff] [blame] | 39 | Match packets that are flowing in the specified direction. If this flag is not |
| 40 | specified at all, matches packets in both directions. |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 41 | .PP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 42 | States for \fB\-\-ctstate\fP: |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 43 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 44 | \fBINVALID\fP |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 45 | meaning that the packet is associated with no known connection |
| 46 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 47 | \fBNEW\fP |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 48 | meaning that the packet has started a new connection, or otherwise associated |
| 49 | with a connection which has not seen packets in both directions, and |
| 50 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 51 | \fBESTABLISHED\fP |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 52 | meaning that the packet is associated with a connection which has seen packets |
| 53 | in both directions, |
| 54 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 55 | \fBRELATED\fP |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 56 | meaning that the packet is starting a new connection, but is associated with an |
| 57 | existing connection, such as an FTP data transfer, or an ICMP error. |
| 58 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 59 | \fBUNTRACKED\fP |
Simon Lodal | afbac0d | 2010-05-10 01:02:21 +0200 | [diff] [blame] | 60 | meaning that the packet is not tracked at all, which happens if you use |
| 61 | the NOTRACK target in raw table. |
| 62 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 63 | \fBSNAT\fP |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 64 | A virtual state, matching if the original source address differs from the reply |
| 65 | destination. |
| 66 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 67 | \fBDNAT\fP |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 68 | A virtual state, matching if the original destination differs from the reply |
| 69 | source. |
| 70 | .PP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 71 | Statuses for \fB\-\-ctstatus\fP: |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 72 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 73 | \fBNONE\fP |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 74 | None of the below. |
| 75 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 76 | \fBEXPECTED\fP |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 77 | This is an expected connection (i.e. a conntrack helper set it up) |
| 78 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 79 | \fBSEEN_REPLY\fP |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 80 | Conntrack has seen packets in both directions. |
| 81 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 82 | \fBASSURED\fP |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 83 | Conntrack entry should never be early-expired. |
| 84 | .TP |
Jan Engelhardt | c6775d6 | 2010-07-23 21:23:05 +0200 | [diff] [blame] | 85 | \fBCONFIRMED\fP |
Jan Engelhardt | a80b604 | 2008-01-20 13:34:07 +0000 | [diff] [blame] | 86 | Connection is confirmed: originating packet has left box. |