# create dummy
conntrack -I -s 1.1.1.1 -d 2.2.2.2 -p tcp --sport 10 --dport 20 --state LISTEN -u SEEN_REPLY -t 50 ; OK
# filter by source
conntrack -L -s 1.1.1.1 ; OK
# filter by destination
conntrack -L -d 2.2.2.2 ; OK
# filter by protocol
conntrack -L -p tcp ; OK
# filter by status
conntrack -L -u SEEN_REPLY ; OK
# filter by TCP protocol state
conntrack -L -p tcp --state LISTEN ; OK
# update mark of dummy conntrack
conntrack -U -s 1.1.1.1 -m 1 ; OK
# filter by mark
conntrack -L -m 1 ; OK
# filter by layer 3 protocol
conntrack -L -f ipv4 ; OK
# filter by mark
conntrack -L --mark 0 ; OK
conntrack -L --mark 0/0xffffffff; OK
# filter by netmask
conntrack -L -s 1.1.1.0 --mask-src 255.255.255.0 -d 2.0.0.0 --mask-dst 255.0.0.0 ; OK
conntrack -L -s 1.1.1.4/24 -d 2.3.4.5/8 ; OK
conntrack -L -s 1.1.2.0/24 -d 2.3.4.5/8 ; OK
# filter filter mismatching address family
conntrack -L -s 2.2.2.2 -d ::1 ; BAD
# filter by IPv6 address, it implicitly sets IPv6 family
conntrack -L -s ::1 ; OK
# filter by IPv6 address mask, it implicitly sets IPv6 family
conntrack -L -s abcd:abcd:abcd:: --mask-src ffff:ffff:ffff:: ; OK
# filter filter mismatching address family
conntrack -L --mask-src ffff:ffff:ffff:: --mask-dst 255.0.0.0 ; BAD
# delete dummy
conntrack -D -d 2.2.2.2 ; OK