.TH "ct action in tc" 8 "14 May 2020" "iproute2" "Linux"

.SH NAME

ct \- tc connection tracking action

.SH SYNOPSIS

.in +8

.ti -8

.BR "tc ... action ct commit [ force ] [ zone "

.IR ZONE

.BR "] [ mark "

.IR MASKED_MARK

.BR "] [ label "

.IR MASKED_LABEL

.BR "] [ nat "

.IR NAT_SPEC

.BR "]"

.ti -8

.BR "tc ... action ct [ nat ] [ zone "

.IR ZONE

.BR "]"

.ti -8

.BR "tc ... action ct clear"

.SH DESCRIPTION

The ct action is a tc action for sending packets and interacting with the netfilter conntrack module.

It can (as shown in the synopsis, in order):

Send the packet to conntrack, and commit the connection, while configuring

a 32bit mark, 128bit label, and src/dst nat.

Send the packet to conntrack, which will mark the packet with the connection's state and

configured metadata (mark/label), and execute previous configured nat.

Clear the packet's of previous connection tracking state.

.SH OPTIONS

.TP

.BI zone " ZONE"

Specify a conntrack zone number on which to send the packet to conntrack.

.TP

.BI mark " MASKED_MARK"

Specify a masked 32bit mark to set for the connection (only valid with commit).

.TP

.BI label " MASKED_LABEL"

Specify a masked 128bit label to set for the connection (only valid with commit).

.TP

.BI nat " NAT_SPEC"

.BI Where " NAT_SPEC " ":= {src|dst} addr" " addr1" "[-" "addr2" "] [port " "port1" "[-" "port2" "]]"

Specify src/dst and range of nat to configure for the connection (only valid with commit).

.RS

.TP

src/dst - configure src or dst nat

.TP

.BI  "" "addr1" "/" "addr2" " - IPv4/IPv6 addresses"

.TP

.BI  "" "port1" "/" "port2" " - Port numbers"

.RE

.TP

.BI nat

Restore any previous configured nat.

.TP

.BI clear

Remove any conntrack state and metadata (mark/label) from the packet (must only option specified).

.TP

.BI force

Forces conntrack direction for a previously commited connections, so that current direction will become the original direction (only valid with commit).

.SH EXAMPLES

Example showing natted firewall in conntrack zone 2, and conntrack mark usage:

.EX

#Add ingress qdisc on eth0 and eth1 interfaces

.nf

$ tc qdisc add dev eth0 handle ingress

$ tc qdisc add dev eth1 handle ingress

#Setup filters on eth0, allowing opening new connections in zone 2, and doing src nat + mark for each new connection

$ tc filter add dev eth0 ingress prio 1 chain 0 proto ip flower ip_proto tcp ct_state -trk \\

action ct zone 2 pipe action goto chain 2

$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ct_state +trk+new \\

action ct zone 2 commit mark 0xbb nat src addr 5.5.5.7 pipe action mirred egress redirect dev eth1

$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ct_zone 2 ct_mark 0xbb ct_state +trk+est \\

action ct nat pipe action mirred egress redirect dev eth1

#Setup filters on eth1, allowing only established connections of zone 2 through, and reverse nat (dst nat in this case)

$ tc filter add dev eth1 ingress prio 1 chain 0 proto ip flower ip_proto tcp ct_state -trk \\

action ct zone 2 pipe action goto chain 1

$ tc filter add dev eth1 ingress prio 1 chain 1 proto ip flower ct_zone 2 ct_mark 0xbb ct_state +trk+est \\

action ct nat pipe action mirred egress redirect dev eth0

.fi

.EE

.RE

.SH SEE ALSO

.BR tc (8),

.BR tc-flower (8)

.BR tc-mirred (8)

.SH AUTHORS

Paul Blakey <paulb@mellanox.com>

Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>

Yossi Kuperman <yossiku@mellanox.com>