summaryrefslogtreecommitdiffstats
path: root/conntrack.8
diff options
context:
space:
mode:
Diffstat (limited to 'conntrack.8')
-rw-r--r--conntrack.819
1 files changed, 14 insertions, 5 deletions
diff --git a/conntrack.8 b/conntrack.8
index c3214ee..3b6a15b 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -14,6 +14,8 @@ conntrack \- command line interface for netfilter connection tracking
.br
.BR "conntrack -I [table] parameters"
.br
+.BR "conntrack -A [table] parameters"
+.br
.BR "conntrack -U [table] parameters"
.br
.BR "conntrack -E [table] [options]"
@@ -88,7 +90,10 @@ Search for and show a particular (matching) entry in the given table.
Delete an entry from the given table.
.TP
.BI "-I, --create "
-Create a new entry from the given table.
+Create a new entry from the given table, it fails if it already exists.
+.TP
+.BI "-A, --add "
+Add a new entry from the given table.
.TP
.BI "-U, --update "
Update an entry from the given table.
@@ -114,7 +119,7 @@ Load entries from a given file. To read from stdin, "\-" should be specified.
Atomically zero counters after reading them. This option is only valid in
combination with the "\-L, \-\-dump" command options.
.TP
-.BI "-o, --output [extended,xml,save,timestamp,id,ktimestamp,labels,userspace] "
+.BI "-o, --output [extended,xml,save,timestamp,id,ktimestamp,labels] "
Display output in a certain format. With the extended output option, this tool
displays the layer 3 information. With ktimestamp, it displays the in-kernel
timestamp available since 2.6.38 (you can enable it via the \fBsysctl(8)\fP
@@ -175,7 +180,7 @@ Specify the conntrack mark. Optionally, a mask value can be specified.
In "\-\-update" mode, this mask specifies the bits that should be zeroed before
XORing the MARK value into the ctmark.
Otherwise, the mask is logically ANDed with the existing mark before the
-comparision. In "\-\-create" mode, the mask is ignored.
+comparison. In "\-\-create" mode, the mask is ignored.
.TP
.BI "-l, --label " "LABEL"
Specify a conntrack label.
@@ -186,8 +191,12 @@ Use multiple \-l options to specify multiple labels that need to be set.
.TP
.BI "--label-add " "LABEL"
Specify the conntrack label to add to the selected conntracks.
-This option is only available in conjunction with "\-I, \-\-create" or
-"\-U, \-\-update".
+This option is only available in conjunction with "\-I, \-\-create",
+"\-A, \-\-add" or "\-U, \-\-update".
+As a rule of thumb, you must use either the 'connlabel' match in your iptables
+ruleset or the 'ct label' statement in your nftables ruleset, this turns on the
+ct label support in the kernel and it allows you to update labels via
+"\-U, \-\-update", otherwise label updates are ignored.
.TP
.BI "--label-del " "[LABEL]"
Specify the conntrack label to delete from the selected conntracks.