• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1This module, when combined with connection tracking, allows access to the
2connection tracking state for this packet/connection.
3.TP
4[\fB!\fP] \fB\-\-ctstate\fP \fIstatelist\fP
5\fIstatelist\fP is a comma separated list of the connection states to match.
6Possible states are listed below.
7.TP
8[\fB!\fP] \fB\-\-ctproto\fP \fIl4proto\fP
9Layer-4 protocol to match (by number or name)
10.TP
11[\fB!\fP] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP]
12.TP
13[\fB!\fP] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP]
14.TP
15[\fB!\fP] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP]
16.TP
17[\fB!\fP] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP]
18Match against original/reply source/destination address
19.TP
20[\fB!\fP] \fB\-\-ctorigsrcport\fP \fIport\fP[\fB:\fP\fIport\fP]
21.TP
22[\fB!\fP] \fB\-\-ctorigdstport\fP \fIport\fP[\fB:\fP\fIport\fP]
23.TP
24[\fB!\fP] \fB\-\-ctreplsrcport\fP \fIport\fP[\fB:\fP\fIport\fP]
25.TP
26[\fB!\fP] \fB\-\-ctrepldstport\fP \fIport\fP[\fB:\fP\fIport\fP]
27Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key.
28Matching against port ranges is only supported in kernel versions above 2.6.38.
29.TP
30[\fB!\fP] \fB\-\-ctstatus\fP \fIstatelist\fP
31\fIstatuslist\fP is a comma separated list of the connection statuses to match.
32Possible statuses are listed below.
33.TP
34[\fB!\fP] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP]
35Match remaining lifetime in seconds against given value or range of values
36(inclusive)
37.TP
38\fB\-\-ctdir\fP {\fBORIGINAL\fP|\fBREPLY\fP}
39Match packets that are flowing in the specified direction. If this flag is not
40specified at all, matches packets in both directions.
41.PP
42States for \fB\-\-ctstate\fP:
43.TP
44\fBINVALID\fP
45The packet is associated with no known connection.
46.TP
47\fBNEW\fP
48The packet has started a new connection or otherwise associated
49with a connection which has not seen packets in both directions.
50.TP
51\fBESTABLISHED\fP
52The packet is associated with a connection which has seen packets
53in both directions.
54.TP
55\fBRELATED\fP
56The packet is starting a new connection, but is associated with an
57existing connection, such as an FTP data transfer or an ICMP error.
58.TP
59\fBUNTRACKED\fP
60The packet is not tracked at all, which happens if you explicitly untrack it
61by using \-j CT \-\-notrack in the raw table.
62.TP
63\fBSNAT\fP
64A virtual state, matching if the original source address differs from the reply
65destination.
66.TP
67\fBDNAT\fP
68A virtual state, matching if the original destination differs from the reply
69source.
70.PP
71Statuses for \fB\-\-ctstatus\fP:
72.TP
73\fBNONE\fP
74None of the below.
75.TP
76\fBEXPECTED\fP
77This is an expected connection (i.e. a conntrack helper set it up).
78.TP
79\fBSEEN_REPLY\fP
80Conntrack has seen packets in both directions.
81.TP
82\fBASSURED\fP
83Conntrack entry should never be early-expired.
84.TP
85\fBCONFIRMED\fP
86Connection is confirmed: originating packet has left box.
87