|
Packit Service |
d1fe03 |
This module, when combined with connection tracking, allows access to the
|
|
Packit Service |
d1fe03 |
connection tracking state for this packet/connection.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
[\fB!\fP] \fB\-\-ctstate\fP \fIstatelist\fP
|
|
Packit Service |
d1fe03 |
\fIstatelist\fP is a comma separated list of the connection states to match.
|
|
Packit Service |
d1fe03 |
Possible states are listed below.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
[\fB!\fP] \fB\-\-ctproto\fP \fIl4proto\fP
|
|
Packit Service |
d1fe03 |
Layer-4 protocol to match (by number or name)
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
[\fB!\fP] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP]
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
[\fB!\fP] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP]
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
[\fB!\fP] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP]
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
[\fB!\fP] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP]
|
|
Packit Service |
d1fe03 |
Match against original/reply source/destination address
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
[\fB!\fP] \fB\-\-ctorigsrcport\fP \fIport\fP[\fB:\fP\fIport\fP]
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
[\fB!\fP] \fB\-\-ctorigdstport\fP \fIport\fP[\fB:\fP\fIport\fP]
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
[\fB!\fP] \fB\-\-ctreplsrcport\fP \fIport\fP[\fB:\fP\fIport\fP]
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
[\fB!\fP] \fB\-\-ctrepldstport\fP \fIport\fP[\fB:\fP\fIport\fP]
|
|
Packit Service |
d1fe03 |
Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key.
|
|
Packit Service |
d1fe03 |
Matching against port ranges is only supported in kernel versions above 2.6.38.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
[\fB!\fP] \fB\-\-ctstatus\fP \fIstatelist\fP
|
|
Packit Service |
d1fe03 |
\fIstatuslist\fP is a comma separated list of the connection statuses to match.
|
|
Packit Service |
d1fe03 |
Possible statuses are listed below.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
[\fB!\fP] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP]
|
|
Packit Service |
d1fe03 |
Match remaining lifetime in seconds against given value or range of values
|
|
Packit Service |
d1fe03 |
(inclusive)
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-\-ctdir\fP {\fBORIGINAL\fP|\fBREPLY\fP}
|
|
Packit Service |
d1fe03 |
Match packets that are flowing in the specified direction. If this flag is not
|
|
Packit Service |
d1fe03 |
specified at all, matches packets in both directions.
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
States for \fB\-\-ctstate\fP:
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fBINVALID\fP
|
|
Packit Service |
d1fe03 |
The packet is associated with no known connection.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fBNEW\fP
|
|
Packit Service |
d1fe03 |
The packet has started a new connection or otherwise associated
|
|
Packit Service |
d1fe03 |
with a connection which has not seen packets in both directions.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fBESTABLISHED\fP
|
|
Packit Service |
d1fe03 |
The packet is associated with a connection which has seen packets
|
|
Packit Service |
d1fe03 |
in both directions.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fBRELATED\fP
|
|
Packit Service |
d1fe03 |
The packet is starting a new connection, but is associated with an
|
|
Packit Service |
d1fe03 |
existing connection, such as an FTP data transfer or an ICMP error.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fBUNTRACKED\fP
|
|
Packit Service |
d1fe03 |
The packet is not tracked at all, which happens if you explicitly untrack it
|
|
Packit Service |
d1fe03 |
by using \-j CT \-\-notrack in the raw table.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fBSNAT\fP
|
|
Packit Service |
d1fe03 |
A virtual state, matching if the original source address differs from the reply
|
|
Packit Service |
d1fe03 |
destination.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fBDNAT\fP
|
|
Packit Service |
d1fe03 |
A virtual state, matching if the original destination differs from the reply
|
|
Packit Service |
d1fe03 |
source.
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
Statuses for \fB\-\-ctstatus\fP:
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fBNONE\fP
|
|
Packit Service |
d1fe03 |
None of the below.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fBEXPECTED\fP
|
|
Packit Service |
d1fe03 |
This is an expected connection (i.e. a conntrack helper set it up).
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fBSEEN_REPLY\fP
|
|
Packit Service |
d1fe03 |
Conntrack has seen packets in both directions.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fBASSURED\fP
|
|
Packit Service |
d1fe03 |
Conntrack entry should never be early-expired.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fBCONFIRMED\fP
|
|
Packit Service |
d1fe03 |
Connection is confirmed: originating packet has left box.
|