diff options
Diffstat (limited to 'conntrack.8')
| -rw-r--r-- | conntrack.8 | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/conntrack.8 b/conntrack.8 index 6fbb41f..3b6a15b 100644 --- a/conntrack.8 +++ b/conntrack.8 @@ -180,7 +180,7 @@ Specify the conntrack mark. Optionally, a mask value can be specified. In "\-\-update" mode, this mask specifies the bits that should be zeroed before XORing the MARK value into the ctmark. Otherwise, the mask is logically ANDed with the existing mark before the -comparision. In "\-\-create" mode, the mask is ignored. +comparison. In "\-\-create" mode, the mask is ignored. .TP .BI "-l, --label " "LABEL" Specify a conntrack label. @@ -193,6 +193,10 @@ Use multiple \-l options to specify multiple labels that need to be set. Specify the conntrack label to add to the selected conntracks. This option is only available in conjunction with "\-I, \-\-create", "\-A, \-\-add" or "\-U, \-\-update". +As a rule of thumb, you must use either the 'connlabel' match in your iptables +ruleset or the 'ct label' statement in your nftables ruleset, this turns on the +ct label support in the kernel and it allows you to update labels via +"\-U, \-\-update", otherwise label updates are ignored. .TP .BI "--label-del " "[LABEL]" Specify the conntrack label to delete from the selected conntracks. |