| lh | 9ed821d | 2023-04-07 01:36:19 -0700 | [diff] [blame] | 1 | This module, when combined with connection tracking, allows access to the |
| 2 | connection tracking state for this packet/connection. |
| 3 | .TP |
| 4 | [\fB!\fR] \fB\-\-ctstate\fP \fIstatelist\fP |
| 5 | \fIstatelist\fR is a comma separated list of the connection states to match. |
| 6 | Possible states are listed below. |
| 7 | .TP |
| 8 | [\fB!\fR] \fB\-\-ctproto\fP \fIl4proto\fP |
| 9 | Layer-4 protocol to match (by number or name) |
| 10 | .TP |
| 11 | [\fB!\fR] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] |
| 12 | .TP |
| 13 | [\fB!\fR] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP] |
| 14 | .TP |
| 15 | [\fB!\fR] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] |
| 16 | .TP |
| 17 | [\fB!\fR] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP] |
| 18 | Match against original/reply source/destination address |
| 19 | .TP |
| 20 | [\fB!\fR] \fB\-\-ctorigsrcport\fP \fIport\fP |
| 21 | .TP |
| 22 | [\fB!\fR] \fB\-\-ctorigdstport\fP \fIport\fP |
| 23 | .TP |
| 24 | [\fB!\fR] \fB\-\-ctreplsrcport\fP \fIport\fP |
| 25 | .TP |
| 26 | [\fB!\fR] \fB\-\-ctrepldstport\fP \fIport\fP |
| 27 | Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key. |
| 28 | .TP |
| 29 | [\fB!\fR] \fB\-\-ctstatus\fP \fIstatelist\fP |
| 30 | \fIstatuslist\fR is a comma separated list of the connection statuses to match. |
| 31 | Possible statuses are listed below. |
| 32 | .TP |
| 33 | [\fB!\fR] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP] |
| 34 | Match remaining lifetime in seconds against given value or range of values |
| 35 | (inclusive) |
| 36 | .TP |
| 37 | \fB\-\-ctdir\fP {\fBORIGINAL\fP|\fBREPLY\fP} |
| 38 | Match packets that are flowing in the specified direction. If this flag is not |
| 39 | specified at all, matches packets in both directions. |
| 40 | .PP |
| 41 | States for \fB\-\-ctstate\fP: |
| 42 | .TP |
| 43 | \fBINVALID\fR |
| 44 | meaning that the packet is associated with no known connection |
| 45 | .TP |
| 46 | \fBNEW\fR |
| 47 | meaning that the packet has started a new connection, or otherwise associated |
| 48 | with a connection which has not seen packets in both directions, and |
| 49 | .TP |
| 50 | \fBESTABLISHED\fR |
| 51 | meaning that the packet is associated with a connection which has seen packets |
| 52 | in both directions, |
| 53 | .TP |
| 54 | \fBRELATED\fR |
| 55 | meaning that the packet is starting a new connection, but is associated with an |
| 56 | existing connection, such as an FTP data transfer, or an ICMP error. |
| 57 | .TP |
| 58 | \fBSNAT\fR |
| 59 | A virtual state, matching if the original source address differs from the reply |
| 60 | destination. |
| 61 | .TP |
| 62 | \fBDNAT\fR |
| 63 | A virtual state, matching if the original destination differs from the reply |
| 64 | source. |
| 65 | .PP |
| 66 | Statuses for \fB\-\-ctstatus\fP: |
| 67 | .TP |
| 68 | \fBNONE\fR |
| 69 | None of the below. |
| 70 | .TP |
| 71 | \fBEXPECTED\fR |
| 72 | This is an expected connection (i.e. a conntrack helper set it up) |
| 73 | .TP |
| 74 | \fBSEEN_REPLY\fR |
| 75 | Conntrack has seen packets in both directions. |
| 76 | .TP |
| 77 | \fBASSURED\fR |
| 78 | Conntrack entry should never be early-expired. |
| 79 | .TP |
| 80 | \fBCONFIRMED\fR |
| 81 | Connection is confirmed: originating packet has left box. |