extensions/libxt_conntrack.man - platform/external/iptables - Git at Google

 This module, when combined with connection tracking, allows access to the
 connection tracking state for this packet/connection.
 .TP
 [\fB!\fP] \fB\-\-ctstate\fP \fIstatelist\fP
 \fIstatelist\fP is a comma separated list of the connection states to match.
 Possible states are listed below.
 .TP
 [\fB!\fP] \fB\-\-ctproto\fP \fIl4proto\fP
 Layer-4 protocol to match (by number or name)
 .TP
 [\fB!\fP] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP]
 .TP
 [\fB!\fP] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP]
 .TP
 [\fB!\fP] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP]
 .TP
 [\fB!\fP] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP]
 Match against original/reply source/destination address
 .TP
 [\fB!\fP] \fB\-\-ctorigsrcport\fP \fIport\fP[\fB:\fP\fIport\fP]
 .TP
 [\fB!\fP] \fB\-\-ctorigdstport\fP \fIport\fP[\fB:\fP\fIport\fP]
 .TP
 [\fB!\fP] \fB\-\-ctreplsrcport\fP \fIport\fP[\fB:\fP\fIport\fP]
 .TP
 [\fB!\fP] \fB\-\-ctrepldstport\fP \fIport\fP[\fB:\fP\fIport\fP]
 Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key.
 Matching against port ranges is only supported in kernel versions above 2.6.38.
 .TP
 [\fB!\fP] \fB\-\-ctstatus\fP \fIstatelist\fP
 \fIstatuslist\fP is a comma separated list of the connection statuses to match.
 Possible statuses are listed below.
 .TP
 [\fB!\fP] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP]
 Match remaining lifetime in seconds against given value or range of values
 (inclusive)
 .TP
 \fB\-\-ctdir\fP {\fBORIGINAL\fP|\fBREPLY\fP}
 Match packets that are flowing in the specified direction. If this flag is not
 specified at all, matches packets in both directions.
 .PP
 States for \fB\-\-ctstate\fP:
 .TP
 \fBINVALID\fP
 meaning that the packet is associated with no known connection
 .TP
 \fBNEW\fP
 meaning that the packet has started a new connection, or otherwise associated
 with a connection which has not seen packets in both directions, and
 .TP
 \fBESTABLISHED\fP
 meaning that the packet is associated with a connection which has seen packets
 in both directions,
 .TP
 \fBRELATED\fP
 meaning that the packet is starting a new connection, but is associated with an
 existing connection, such as an FTP data transfer, or an ICMP error.
 .TP
 \fBUNTRACKED\fP
 meaning that the packet is not tracked at all, which happens if you use
 the NOTRACK target in raw table.
 .TP
 \fBSNAT\fP
 A virtual state, matching if the original source address differs from the reply
 destination.
 .TP
 \fBDNAT\fP
 A virtual state, matching if the original destination differs from the reply
 source.
 .PP
 Statuses for \fB\-\-ctstatus\fP:
 .TP
 \fBNONE\fP
 None of the below.
 .TP
 \fBEXPECTED\fP
 This is an expected connection (i.e. a conntrack helper set it up)
 .TP
 \fBSEEN_REPLY\fP
 Conntrack has seen packets in both directions.
 .TP
 \fBASSURED\fP
 Conntrack entry should never be early-expired.
 .TP
 \fBCONFIRMED\fP
 Connection is confirmed: originating packet has left box.
	This module, when combined with connection tracking, allows access to the
	connection tracking state for this packet/connection.
	.TP
	[\fB!\fP] \fB\-\-ctstate\fP \fIstatelist\fP
	\fIstatelist\fP is a comma separated list of the connection states to match.
	Possible states are listed below.
	.TP
	[\fB!\fP] \fB\-\-ctproto\fP \fIl4proto\fP
	Layer-4 protocol to match (by number or name)
	.TP
	[\fB!\fP] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP]
	.TP
	[\fB!\fP] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP]
	.TP
	[\fB!\fP] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP]
	.TP
	[\fB!\fP] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP]
	Match against original/reply source/destination address
	.TP
	[\fB!\fP] \fB\-\-ctorigsrcport\fP \fIport\fP[\fB:\fP\fIport\fP]
	.TP
	[\fB!\fP] \fB\-\-ctorigdstport\fP \fIport\fP[\fB:\fP\fIport\fP]
	.TP
	[\fB!\fP] \fB\-\-ctreplsrcport\fP \fIport\fP[\fB:\fP\fIport\fP]
	.TP
	[\fB!\fP] \fB\-\-ctrepldstport\fP \fIport\fP[\fB:\fP\fIport\fP]
	Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key.
	Matching against port ranges is only supported in kernel versions above 2.6.38.
	.TP
	[\fB!\fP] \fB\-\-ctstatus\fP \fIstatelist\fP
	\fIstatuslist\fP is a comma separated list of the connection statuses to match.
	Possible statuses are listed below.
	.TP
	[\fB!\fP] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP]
	Match remaining lifetime in seconds against given value or range of values
	(inclusive)
	.TP
	\fB\-\-ctdir\fP {\fBORIGINAL\fP\|\fBREPLY\fP}
	Match packets that are flowing in the specified direction. If this flag is not
	specified at all, matches packets in both directions.
	.PP
	States for \fB\-\-ctstate\fP:
	.TP
	\fBINVALID\fP
	meaning that the packet is associated with no known connection
	.TP
	\fBNEW\fP
	meaning that the packet has started a new connection, or otherwise associated
	with a connection which has not seen packets in both directions, and
	.TP
	\fBESTABLISHED\fP
	meaning that the packet is associated with a connection which has seen packets
	in both directions,
	.TP
	\fBRELATED\fP
	meaning that the packet is starting a new connection, but is associated with an
	existing connection, such as an FTP data transfer, or an ICMP error.
	.TP
	\fBUNTRACKED\fP
	meaning that the packet is not tracked at all, which happens if you use
	the NOTRACK target in raw table.
	.TP
	\fBSNAT\fP
	A virtual state, matching if the original source address differs from the reply
	destination.
	.TP
	\fBDNAT\fP
	A virtual state, matching if the original destination differs from the reply
	source.
	.PP
	Statuses for \fB\-\-ctstatus\fP:
	.TP
	\fBNONE\fP
	None of the below.
	.TP
	\fBEXPECTED\fP
	This is an expected connection (i.e. a conntrack helper set it up)
	.TP
	\fBSEEN_REPLY\fP
	Conntrack has seen packets in both directions.
	.TP
	\fBASSURED\fP
	Conntrack entry should never be early-expired.
	.TP
	\fBCONFIRMED\fP
	Connection is confirmed: originating packet has left box.