|
Packit Service |
fa126c |
The CT target allows to set parameters for a packet or its associated
|
|
Packit Service |
fa126c |
connection. The target attaches a "template" connection tracking entry to
|
|
Packit Service |
fa126c |
the packet, which is then used by the conntrack core when initializing
|
|
Packit Service |
fa126c |
a new ct entry. This target is thus only valid in the "raw" table.
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-notrack\fP
|
|
Packit Service |
fa126c |
Disables connection tracking for this packet.
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-helper\fP \fIname\fP
|
|
Packit Service |
fa126c |
Use the helper identified by \fIname\fP for the connection. This is more
|
|
Packit Service |
fa126c |
flexible than loading the conntrack helper modules with preset ports.
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-ctevents\fP \fIevent\fP[\fB,\fP...]
|
|
Packit Service |
fa126c |
Only generate the specified conntrack events for this connection. Possible
|
|
Packit Service |
fa126c |
event types are: \fBnew\fP, \fBrelated\fP, \fBdestroy\fP, \fBreply\fP,
|
|
Packit Service |
fa126c |
\fBassured\fP, \fBprotoinfo\fP, \fBhelper\fP, \fBmark\fP (this refers to
|
|
Packit Service |
fa126c |
the ctmark, not nfmark), \fBnatseqinfo\fP, \fBsecmark\fP (ctsecmark).
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-expevents\fP \fIevent\fP[\fB,\fP...]
|
|
Packit Service |
fa126c |
Only generate the specified expectation events for this connection.
|
|
Packit Service |
fa126c |
Possible event types are: \fBnew\fP.
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-zone-orig\fP {\fIid\fP|\fBmark\fP}
|
|
Packit Service |
fa126c |
For traffic coming from ORIGINAL direction, assign this packet to zone
|
|
Packit Service |
fa126c |
\fIid\fP and only have lookups done in that zone. If \fBmark\fP is used
|
|
Packit Service |
fa126c |
instead of \fIid\fP, the zone is derived from the packet nfmark.
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-zone-reply\fP {\fIid\fP|\fBmark\fP}
|
|
Packit Service |
fa126c |
For traffic coming from REPLY direction, assign this packet to zone
|
|
Packit Service |
fa126c |
\fIid\fP and only have lookups done in that zone. If \fBmark\fP is used
|
|
Packit Service |
fa126c |
instead of \fIid\fP, the zone is derived from the packet nfmark.
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-zone\fP {\fIid\fP|\fBmark\fP}
|
|
Packit Service |
fa126c |
Assign this packet to zone \fIid\fP and only have lookups done in that zone.
|
|
Packit Service |
fa126c |
If \fBmark\fP is used instead of \fIid\fP, the zone is derived from the
|
|
Packit Service |
fa126c |
packet nfmark. By default, packets have zone 0. This option applies to both
|
|
Packit Service |
fa126c |
directions.
|
|
Packit Service |
fa126c |
.TP
|
|
Packit Service |
fa126c |
\fB\-\-timeout\fP \fIname\fP
|
|
Packit Service |
fa126c |
Use the timeout policy identified by \fIname\fP for the connection. This is
|
|
Packit Service |
fa126c |
provides more flexible timeout policy definition than global timeout values
|
|
Packit Service |
fa126c |
available at /proc/sys/net/netfilter/nf_conntrack_*_timeout_*.
|