summaryrefslogtreecommitdiffstats
path: root/conntrack.8
Commit message (Collapse)AuthorAgeFilesLines
* conntrack: support for IPS_OFFLOADPablo Neira Ayuso2019-08-091-2/+2
| | | | | | | | # conntrack -L -u OFFLOAD tcp 6 431984 ESTABLISHED src=192.168.10.2 dst=10.0.1.2 sport=32824 dport=5201 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=32824 [OFFLOAD] mark=0 secctx=null use=2 tcp 6 431984 ESTABLISHED src=192.168.10.2 dst=10.0.1.2 sport=32826 dport=5201 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=32826 [OFFLOAD] mark=0 secctx=null use=2 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add -o userspace option to tag user-triggered eventsPablo Neira Ayuso2019-02-201-1/+2
| | | | | | | | | | | | | | The following command: # conntrack -E -o userspace & # conntrack -F [DESTROY] tcp 6 src=122.127.186.172 dst=192.168.10.195 sport=443 dport=48232 packets=56 bytes=5313 src=192.168.10.195 dst=122.127.186.172 sport=48232 dport=443 packets=49 bytes=5174 [ASSURED] [USERSPACE] prints the [USERSPACE] tag at the end of the event, this tells users if this event has been triggered by process, eg. via conntrack command invocation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack.8: refresh manpageArturo Borrero Gonzalez2017-09-271-66/+101
| | | | | | | | | | Refresh manpage, fixing typos, rearranging some sentences, introducing line breaks at max. 80 columns, markup fixes, and so on. Apart of some minor cosmetics fixes, no actual content is changed. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: man: Add description of tables dying and unconfirmed.Mart Frauenlob2016-04-081-0/+16
| | | | | Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: man: add options --src and --dst.Mart Frauenlob2016-04-081-2/+2
| | | | | Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add support for CIDR notationAsbjørn Sloth Tønnesen2016-02-161-0/+4
| | | | | | | | | | | | | | Add support for using CIDR notation in --{orig,tuple}-{src,dst} arguments, instead of free-form formatting netmask in --mask-{src,dst}. Example: conntrack -L -s 2001:db8::/56 Instead of: conntrack -L -s 2001:db8:: --mask-src ffff:ffff:ffff:ff00:: Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add support for netmask filteringAsbjørn Sloth Tønnesen2016-02-081-2/+5
| | | | | | | | This patch extends --mask-src and --mask-dst to also work with the conntrack table, with commands -L, -D, -E and -U. Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: support delete by labelAsbjørn Sloth Tønnesen2016-02-011-1/+1
| | | | | | | | | | | This option was already silently allowed by 991fc4ae, but didn't have any effect. This patch adds the check and documents it. Cc: Clemence Faure <clemence.faure@sophos.com> Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add zone direction supportDaniel Borkmann2015-09-291-1/+9
| | | | | | | | | | | | | | | | This patch adds support for zone directions. Since all options have the orig/reply as a prefix, I named it --orig-zone and --reply-zone to stay consistent with the rest of the cmdline options. As for the option chars, there was no unallocated reasonable combination, thus only long options are officially exposed in the help, similarly as in other cases. Test suite results, after patch: OK: 79 BAD: 0 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* man: fix hyphen used as minus signArturo Borrero2014-09-251-11/+11
| | | | | | | | | | | | | | Report from Debian's lintian: This manual page seems to contain a hyphen where a minus sign was intended. By default, "-" chars are interpreted as hyphens (U+2010) by groff, not as minus signs (U+002D). Since options to programs use minus signs (U+002D), this means for example in UTF-8 locales that you cannot cut and paste options, nor search for them easily. [...] Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: support add/delete of conntrack labelsClemence Faure2013-09-151-1/+9
| | | | | | | | new options "--label-add" and "--label-delete" to alter connlabels assigned to a connection. Signed-off-by: Clemence Faure <clemence.faure@sophos.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: support multiple -l optionsFlorian Westphal2013-09-151-3/+4
| | | | | | | | Using -l foo -l bar caused the "foo" label to be lost. Merge multiple -l options so "-l foo,bar" and "-l foo -l bar" have same effect. Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: introduce -l option to filter by labelsClemence Faure2013-07-231-0/+5
| | | | | Signed-off-by: Clemence Faure <clemence.faure@sophos.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* conntrack: add connlabel format attributeFlorian Westphal2013-07-051-1/+3
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: manpage and help display improvementsAdrian Bridgett2012-03-201-3/+3
| | | | | | | | This patch adds missing information regarding several conntrackd options to the manpage and the help info that is displayed in the command line. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add support for mark maskFlorian Westphal2011-06-151-2/+6
| | | | | | | | | | | | | | | Extend --mark option to optionally take a mask, seperated by '/', e.g. --mark 0x80/0xf0. When used with -L, only test those bits of the mark that are in the mask range (behaves like iptables like -m mark). When used with -U, zero out those bits indicated by the mask and XOR the new mark into the result (behaves like iptables -j MARK --set-xmark). Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add -o ktimestamp option (it requires linux >= 2.6.38)Pablo Neira Ayuso2011-02-171-2/+5
| | | | | | | | | | | | | | | | | | | | | | | This option requires Linux kernel >= 2.6.38, you have to enable conntrack timestamping with: echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp # conntrack -L -o ktimestamp udp 17 59 src=192.168.1.128 dst=192.168.1.1 sport=52050 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=52050 [ASSURED] mark=0 delta-time=121 [start=Thu Feb 17 17:41:18 2011] use=1 # conntrack -L conntrack v0.9.15 (conntrack-tools): 20 flow entries have been shown. udp 17 31 src=192.168.1.128 dst=192.168.1.1 sport=52050 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=52050 [ASSURED] mark=0 delta-time=149 use=1 # conntrack -E -o ktimestamp ... [DESTROY] udp 17 src=192.168.1.128 dst=192.168.1.1 sport=40162 dport=53 src=192.168.1.1 dst=192.168.1.128 sport=53 dport=40162 [ASSURED] delta-time=3 [start=Thu Feb 17 17:44:57 2011] [stop=Thu Feb 17 17:45:00 2011] # conntrack -E [DESTROY] udp 17 src=192.168.1.128 dst=77.226.252.14 sport=123 dport=123 src=77.226.252.14 dst=192.168.1.128 sport=123 dport=123 delta-time=8 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix missing line break in conntrack(8) manpagePablo Neira Ayuso2010-10-121-0/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add zone supportPablo Neira Ayuso2010-07-051-1/+4
| | | | | | | | This patch adds `--zone' to the command line tool. This adds the missing user-space support for Patrick's McHardy iptables CT target. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add `--any-nat' to filter any NATted flowPablo Neira Ayuso2010-07-011-0/+3
| | | | | | | This patch adds the --any-nat option that allows to display src-NATted OR dst-NATted flows. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: option `-t' in on the same line as `-m' in manpagePablo Neira Ayuso2010-02-261-0/+1
| | | | | | | | | From Richard Lucassen: > Btw: if you search the "-m --mask" option in the manpage, you'll see a > cosmetic typo: this option is on the same line as "-t --timeout" Reported-by: Richard Lucassen <reply5@xaq.nl> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: spell fix in conntrack(8) manpageJan Engelhardt2009-07-171-1/+1
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add DCCP role parameter for conntrack creationPablo Neira Ayuso2009-04-241-1/+3
| | | | | | | This patch adds `--role' parameter for DCCP which is required to create entries. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add GRE supportPablo Neira Ayuso2009-04-181-0/+14
| | | | | | | This patch adds GRE support for the command line tool conntrack. With this patch, we support all protocols available in the kernel. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.
* conntrack: add DCCP supportPablo Neira Ayuso2009-04-111-0/+17
| | | | | | This patch adds DCCP support for the command line tool conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add SCTP supportPablo Neira Ayuso2009-04-111-0/+23
| | | | | | This patch adds SCTP support to the command line tool conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add UDPlite supportPablo Neira Ayuso2009-04-111-1/+16
| | | | | | This patch adds UDPlite support for the command line tool conntrack. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add `-S' command to display kernel statisticsPablo Neira Ayuso2009-03-311-0/+5
| | | | | | | | | This patch adds `-S' command to display kernel statistics. Using raw `cat' on /proc and the hexadecimal output is not very handy. This option parses the /proc entry and display the information is a more human friendly way. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: fix missing bits in `-C' commandPablo Neira Ayuso2009-03-311-0/+2
| | | | | | | | This patch fixes some missing bits for the `-C' conntrack command like the manpage information, the usage help, the `--counters' synonymous and the commands vs. options checking. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add -C command to display the counterPablo Neira Ayuso2009-01-171-0/+3
| | | | | | | | | | This patch adds the -C command, to display the table counter. In the case of `-C conntrack' the tool reads the proc interface. For expectation, it loops on the table to count the number of entries (as there is not proc interface to display the number of expectations). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* manpage: add --status FIXED_TIMEOUT and EXPECTEDPablo Neira Ayuso2008-12-041-1/+1
| | | | | | | This patch adds FIXED_TIMEOUT and EXPECTED to the conntrack(8) manpage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* conntrack: add missing -U in conntrack(8) manpagePablo Neira Ayuso2008-10-221-1/+6
| | | | | | | This patch adds information about -U which was missing. Reported-by: Karel Rericha <karel@maxtel.cz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* CLI: add new option --buffer-size for -EPablo Neira Ayuso2008-07-291-0/+10
| | | | | | | Add new option --buffer-size for -E to set the netlink socket buffer size. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* minor update of the manpages/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-161-3/+4
|
* o fix NAT filtering via --src-nat and --dst-nat (reported by K.Oledzki)/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-161-11/+16
| | | | | | o recover the ID support o show display counters to stderr o enable filtering by status and ID
* update manpages with the new URL/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-04-091-1/+1
|
* = conntrack =/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-12-211-0/+5
| | | | | | | | | | | o fix missing `-g' and `-n' options in getopt_long control string o add support for secmark (requires Linux kernel >= 2.6.25) o add mark and secmark information to the manpage o cleanup error message = conntrackd = o add support for secmark (requires Linux kernel >= 2.6.25) o add conntrackd (8) manpage
* include protocol filter parameters in the manpage/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-07-181-0/+43
|
* - add support for `-L --src-nat' and `-L --dst-nat' to show natted connections/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-06-091-5/+9
| | | | - update conntrack(8) manpage
* o introduce '--output xml,extended,timestamp' option for '-L', '-G' and '-E'/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-05-071-7/+21
| | | | o several fixes for the output of usage messages
* - add warning note to ctnl_test.c: old API is deprecated/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-05-061-2/+7
| | | | | | | | - split expect_api_test.c into small example files expect_*.c - introduce alias tags for original tuple attributes - introduce nfexp_sizeof and nfexp_maxsize - build expectation attributes iif they are set - fix l3num setting in expect/build.c
* first step forward to merge conntrackd and conntrack into the same building ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-04-161-0/+142
| | | | chain
* initial import of the conntrack daemon to Netfilter SVN/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-04-161-142/+0
|
* <pablo@netfilter.org>/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org2005-12-261-0/+4
| | | | | | | | | | | | o add IPv6 support: main change o removed dead code: iptables_insmod and get_modprobe o compact the commands vs. options table o move working vars from the stack to the BSS section o update manpage o Bumped version to 1.0beta1 <yasuyuki.kozakai@toshiba.co.jp> o check address family mismatch o fix incomplete copying IPv6 addresses
* o Add support to filter events. ie: -p tcp --orig-port-dst 80 in/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org2005-12-031-9/+5
| | | | | | | | | conjuction with -E to get all the requests to HTTP servers o Update manpage o Missing static function declaration in the protocol handlers o Use protocol flags defined in libnetfilter_conntrack o Kill leftover #include "conntrack.h" in the ICMP helper o Bumped version to 0.991
* o Add --id to the conntrack manpage/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=pablo/emailAddress=pablo@netfilter.org2005-11-011-1/+4
| | | | o Add myself to the list of ctnetlink author, it deserves it ;)
* major update (See ChangeLog)/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2005-09-241-14/+1
|
* o Fixed syntax error (tab/space issue) in help message/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2005-06-241-0/+152
o Fixed getopt handling on big endian machines o Fixed possible future read-over-end-of-array in TCP extension o Add manpage o Add missing space at output of libct_proto_icmp.c o Add status bits that were introduced in 2.6.11 o Add SCTP extension o Add support for expect creation o Bump version number to 0.63