diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-06-07 21:32:24 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-06-07 21:44:58 +0200 |
commit | 9bed87a72ea37ac55b24cfb37c7b5d28d7d06837 (patch) | |
tree | cbb9bc0b7bd5c5758223cff04e5c969b0099388e /doc/manual | |
parent | 2e4b2a9d50e2f823e99aa9b03b1c5a4f3ecbf8dc (diff) |
doc: manual: fix conntrack examples
> (1) The mark in the command line is '10', not '1'.
> (2) The dport in the example is '993', not '3486' and not '34846'.
... text says "has been deleted"; but conntrack prints "have been deleted"
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc/manual')
-rw-r--r-- | doc/manual/conntrack-tools.tmpl | 28 |
1 files changed, 14 insertions, 14 deletions
diff --git a/doc/manual/conntrack-tools.tmpl b/doc/manual/conntrack-tools.tmpl index 54e5237..9af0b3f 100644 --- a/doc/manual/conntrack-tools.tmpl +++ b/doc/manual/conntrack-tools.tmpl @@ -171,30 +171,30 @@ <programlisting> # cat /proc/net/ip_conntrack - tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 secmark=0 use=1 - tcp 6 431698 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34849 dport=993 packets=244 bytes=18723 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34849 packets=203 bytes=144731 [ASSURED] mark=0 secmark=0 use=1 + tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 use=1 + tcp 6 431698 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34849 dport=993 packets=244 bytes=18723 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34849 packets=203 bytes=144731 [ASSURED] mark=0 use=1 </programlisting> <para>The command line tool <emphasis>conntrack</emphasis> can be used to display the same information:</para> <programlisting> # conntrack -L - tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 secmark=0 use=1 - tcp 6 431698 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34849 dport=993 packets=244 bytes=18723 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34849 packets=203 bytes=144731 [ASSURED] mark=0 secmark=0 use=1 -conntrack v0.9.7 (conntrack-tools): 2 flow entries have been shown. + tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 use=1 + tcp 6 431698 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34849 dport=993 packets=244 bytes=18723 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34849 packets=203 bytes=144731 [ASSURED] mark=0 use=1 +conntrack v1.4.6 (conntrack-tools): 2 flow entries have been shown. </programlisting> <para>You can natively filter the output without using <emphasis>grep</emphasis>:</para> <programlisting> - # conntrack -L -p tcp --dport 34856 - tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 secmark=0 use=1 -conntrack v0.9.7 (conntrack-tools): 1 flow entries have been shown. + # conntrack -L -p tcp --dport 993 + tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 use=1 +conntrack v1.4.6 (conntrack-tools): 1 flow entries have been shown. </programlisting> <para>Update the mark based on a selection, this allows you to change the mark of an entry without using the CONNMARK target:</para> <programlisting> - # conntrack -U -p tcp --dport 3486 --mark 10 - tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=1 secmark=0 use=1 -conntrack v0.9.7 (conntrack-tools): 1 flow entries has been updated. + # conntrack -U -p tcp --dport 993 --mark 10 + tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=10 use=1 +conntrack v1.4.6 (conntrack-tools): 1 flow entries have been updated. </programlisting> <para>Delete one entry, this can be used to block traffic if:</para> @@ -204,9 +204,9 @@ conntrack v0.9.7 (conntrack-tools): 1 flow entries has been updated. </itemizedlist> <programlisting> - # conntrack -D -p tcp --dport 3486 - tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=1 secmark=0 use=1 -conntrack v0.9.7 (conntrack-tools): 1 flow entries has been deleted. + # conntrack -D -p tcp --dport 993 + tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=10 use=1 +conntrack v1.4.6 (conntrack-tools): 1 flow entries have been deleted. </programlisting> <para>Display the connection tracking events:</para> |