diff options
Diffstat (limited to 'extensions/libxt_conntrack.man')
| -rw-r--r-- | extensions/libxt_conntrack.man | 85 |
1 files changed, 85 insertions, 0 deletions
diff --git a/extensions/libxt_conntrack.man b/extensions/libxt_conntrack.man new file mode 100644 index 0000000..ec51ef5 --- /dev/null +++ b/extensions/libxt_conntrack.man @@ -0,0 +1,85 @@ +This module, when combined with connection tracking, allows access to the +connection tracking state for this packet/connection. +.TP +[\fB!\fR] \fB\-\-ctstate\fP \fIstatelist\fP +\fIstatelist\fR is a comma separated list of the connection states to match. +Possible states are listed below. +.TP +[\fB!\fR] \fB\-\-ctproto\fP \fIl4proto\fP +Layer-4 protocol to match (by number or name) +.TP +[\fB!\fR] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] +.TP +[\fB!\fR] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP] +.TP +[\fB!\fR] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] +.TP +[\fB!\fR] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP] +Match against original/reply source/destination address +.TP +[\fB!\fR] \fB\-\-ctorigsrcport\fP \fIport\fP +.TP +[\fB!\fR] \fB\-\-ctorigdstport\fP \fIport\fP +.TP +[\fB!\fR] \fB\-\-ctreplsrcport\fP \fIport\fP +.TP +[\fB!\fR] \fB\-\-ctrepldstport\fP \fIport\fP +Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key. +.TP +[\fB!\fR] \fB\-\-ctstatus\fP \fIstatelist\fP +\fIstatuslist\fR is a comma separated list of the connection statuses to match. +Possible statuses are listed below. +.TP +[\fB!\fR] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP] +Match remaining lifetime in seconds against given value or range of values +(inclusive) +.TP +\fB\-\-ctdir\fP {\fBORIGINAL\fP|\fBREPLY\fP} +Match packets that are flowing in the specified direction. If this flag is not +specified at all, matches packets in both directions. +.PP +States for \fB\-\-ctstate\fP: +.TP +\fBINVALID\fR +meaning that the packet is associated with no known connection +.TP +\fBNEW\fR +meaning that the packet has started a new connection, or otherwise associated +with a connection which has not seen packets in both directions, and +.TP +\fBESTABLISHED\fR +meaning that the packet is associated with a connection which has seen packets +in both directions, +.TP +\fBRELATED\fR +meaning that the packet is starting a new connection, but is associated with an +existing connection, such as an FTP data transfer, or an ICMP error. +.TP +\fBUNTRACKED\fR +meaning that the packet is not tracked at all, which happens if you use +the NOTRACK target in raw table. +.TP +\fBSNAT\fR +A virtual state, matching if the original source address differs from the reply +destination. +.TP +\fBDNAT\fR +A virtual state, matching if the original destination differs from the reply +source. +.PP +Statuses for \fB\-\-ctstatus\fP: +.TP +\fBNONE\fR +None of the below. +.TP +\fBEXPECTED\fR +This is an expected connection (i.e. a conntrack helper set it up) +.TP +\fBSEEN_REPLY\fR +Conntrack has seen packets in both directions. +.TP +\fBASSURED\fR +Conntrack entry should never be early-expired. +.TP +\fBCONFIRMED\fR +Connection is confirmed: originating packet has left box. |