source-git / iproute

Clone
Source Code
GIT

Blame man/man8/tc-ct.8

c8 c8s master
  1.   9dfd3431b53225f391ffd52faf65373bf65dfce3
  2.   man
  3.   man8
  4.   tc-ct.8
Blob History Raw
Packit Service 9dfd34 
.TH "ct action in tc" 8 "14 May 2020" "iproute2" "Linux"
Packit Service 9dfd34 
.SH NAME
Packit Service 9dfd34 
ct \- tc connection tracking action
Packit Service 9dfd34 
.SH SYNOPSIS
Packit Service 9dfd34 
.in +8
Packit Service 9dfd34 
.ti -8
Packit Service 9dfd34 
.BR "tc ... action ct commit [ force ] [ zone "
Packit Service 9dfd34 
.IR ZONE
Packit Service 9dfd34 
.BR "] [ mark "
Packit Service 9dfd34 
.IR MASKED_MARK
Packit Service 9dfd34 
.BR "] [ label "
Packit Service 9dfd34 
.IR MASKED_LABEL
Packit Service 9dfd34 
.BR "] [ nat "
Packit Service 9dfd34 
.IR NAT_SPEC
Packit Service 9dfd34 
.BR "]"
Packit Service 9dfd34
Packit Service 9dfd34 
.ti -8
Packit Service 9dfd34 
.BR "tc ... action ct [ nat ] [ zone "
Packit Service 9dfd34 
.IR ZONE
Packit Service 9dfd34 
.BR "]"
Packit Service 9dfd34
Packit Service 9dfd34 
.ti -8
Packit Service 9dfd34 
.BR "tc ... action ct clear"
Packit Service 9dfd34
Packit Service 9dfd34 
.SH DESCRIPTION
Packit Service 9dfd34 
The ct action is a tc action for sending packets and interacting with the netfilter conntrack module.
Packit Service 9dfd34
Packit Service 9dfd34 
It can (as shown in the synopsis, in order):
Packit Service 9dfd34
Packit Service 9dfd34 
Send the packet to conntrack, and commit the connection, while configuring
Packit Service 9dfd34 
a 32bit mark, 128bit label, and src/dst nat.
Packit Service 9dfd34
Packit Service 9dfd34 
Send the packet to conntrack, which will mark the packet with the connection's state and
Packit Service 9dfd34 
configured metadata (mark/label), and execute previous configured nat.
Packit Service 9dfd34
Packit Service 9dfd34 
Clear the packet's of previous connection tracking state.
Packit Service 9dfd34
Packit Service 9dfd34 
.SH OPTIONS
Packit Service 9dfd34 
.TP
Packit Service 9dfd34 
.BI zone " ZONE"
Packit Service 9dfd34 
Specify a conntrack zone number on which to send the packet to conntrack.
Packit Service 9dfd34 
.TP
Packit Service 9dfd34 
.BI mark " MASKED_MARK"
Packit Service 9dfd34 
Specify a masked 32bit mark to set for the connection (only valid with commit).
Packit Service 9dfd34 
.TP
Packit Service 9dfd34 
.BI label " MASKED_LABEL"
Packit Service 9dfd34 
Specify a masked 128bit label to set for the connection (only valid with commit).
Packit Service 9dfd34 
.TP
Packit Service 9dfd34 
.BI nat " NAT_SPEC"
Packit Service 9dfd34 
.BI Where " NAT_SPEC " ":= {src|dst} addr" " addr1" "[-" "addr2" "] [port " "port1" "[-" "port2" "]]"
Packit Service 9dfd34
Packit Service 9dfd34 
Specify src/dst and range of nat to configure for the connection (only valid with commit).
Packit Service 9dfd34 
.RS
Packit Service 9dfd34 
.TP
Packit Service 9dfd34 
src/dst - configure src or dst nat
Packit Service 9dfd34 
.TP
Packit Service 9dfd34 
.BI  "" "addr1" "/" "addr2" " - IPv4/IPv6 addresses"
Packit Service 9dfd34 
.TP
Packit Service 9dfd34 
.BI  "" "port1" "/" "port2" " - Port numbers"
Packit Service 9dfd34 
.RE
Packit Service 9dfd34 
.TP
Packit Service 9dfd34 
.BI nat
Packit Service 9dfd34 
Restore any previous configured nat.
Packit Service 9dfd34 
.TP
Packit Service 9dfd34 
.BI clear
Packit Service 9dfd34 
Remove any conntrack state and metadata (mark/label) from the packet (must only option specified).
Packit Service 9dfd34 
.TP
Packit Service 9dfd34 
.BI force
Packit Service 9dfd34 
Forces conntrack direction for a previously commited connections, so that current direction will become the original direction (only valid with commit).
Packit Service 9dfd34
Packit Service 9dfd34 
.SH EXAMPLES
Packit Service 9dfd34 
Example showing natted firewall in conntrack zone 2, and conntrack mark usage:
Packit Service 9dfd34 
.EX
Packit Service 9dfd34
Packit Service 9dfd34 
#Add ingress qdisc on eth0 and eth1 interfaces
Packit Service 9dfd34 
.nf
Packit Service 9dfd34 
$ tc qdisc add dev eth0 handle ingress
Packit Service 9dfd34 
$ tc qdisc add dev eth1 handle ingress
Packit Service 9dfd34
Packit Service 9dfd34 
#Setup filters on eth0, allowing opening new connections in zone 2, and doing src nat + mark for each new connection
Packit Service 9dfd34 
$ tc filter add dev eth0 ingress prio 1 chain 0 proto ip flower ip_proto tcp ct_state -trk \\
Packit Service 9dfd34 
action ct zone 2 pipe action goto chain 2
Packit Service 9dfd34 
$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ct_state +trk+new \\
Packit Service 9dfd34 
action ct zone 2 commit mark 0xbb nat src addr 5.5.5.7 pipe action mirred egress redirect dev eth1
Packit Service 9dfd34 
$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ct_zone 2 ct_mark 0xbb ct_state +trk+est \\
Packit Service 9dfd34 
action ct nat pipe action mirred egress redirect dev eth1
Packit Service 9dfd34
Packit Service 9dfd34 
#Setup filters on eth1, allowing only established connections of zone 2 through, and reverse nat (dst nat in this case)
Packit Service 9dfd34 
$ tc filter add dev eth1 ingress prio 1 chain 0 proto ip flower ip_proto tcp ct_state -trk \\
Packit Service 9dfd34 
action ct zone 2 pipe action goto chain 1
Packit Service 9dfd34 
$ tc filter add dev eth1 ingress prio 1 chain 1 proto ip flower ct_zone 2 ct_mark 0xbb ct_state +trk+est \\
Packit Service 9dfd34 
action ct nat pipe action mirred egress redirect dev eth0
Packit Service 9dfd34 
.fi
Packit Service 9dfd34
Packit Service 9dfd34 
.EE
Packit Service 9dfd34
Packit Service 9dfd34 
.RE
Packit Service 9dfd34 
.SH SEE ALSO
Packit Service 9dfd34 
.BR tc (8),
Packit Service 9dfd34 
.BR tc-flower (8)
Packit Service 9dfd34 
.BR tc-mirred (8)
Packit Service 9dfd34 
.SH AUTHORS
Packit Service 9dfd34 
Paul Blakey <paulb@mellanox.com>
Packit Service 9dfd34
Packit Service 9dfd34 
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Packit Service 9dfd34
Packit Service 9dfd34 
Yossi Kuperman <yossiku@mellanox.com>

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation