libxt_conntrack.man revision a8ad34cf11540d147b8aded6826a1452841d2aa7 
1This module, when combined with connection tracking, allows access to the
2connection tracking state for this packet/connection.
3.TP
4[\fB!\fR] \fB--ctstate\fR \fIstatelist\fR
5\fIstatelist\fR is a comma separated list of the connection states to match.
6Possible states are listed below.
7.TP
8[\fB!\fR] \fB--ctproto\fR \fIl4proto\fR
9Layer-4 protocol to match (by number or name)
10.TP
11[\fB!\fR] \fB--ctorigsrc\fR \fIaddress\fR[\fB/\fR\fImask\fR]
12.TP
13[\fB!\fR] \fB--ctorigdst\fR \fIaddress\fR[\fB/\fR\fImask\fR]
14.TP
15[\fB!\fR] \fB--ctreplsrc\fR \fIaddress\fR[\fB/\fR\fImask\fR]
16.TP
17[\fB!\fR] \fB--ctrepldst\fR \fIaddress\fR[\fB/\fR\fImask\fR]
18Match against original/reply source/destination address
19.TP
20[\fB!\fR] \fB--ctorigsrcport\fR \fIport\fR
21.TP
22[\fB!\fR] \fB--ctorigdstport\fR \fIport\fR
23.TP
24[\fB!\fR] \fB--ctreplsrcport\fR \fIport\fR
25.TP
26[\fB!\fR] \fB--ctrepldstport\fR \fIport\fR
27Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key.
28.TP
29[\fB!\fR] \fB--ctstatus\fR \fIstatelist\fR
30\fIstatuslist\fR is a comma separated list of the connection statuses to match.
31Possible statuses are listed below.
32.TP
33[\fB!\fR] \fB--ctexpire\fR \fItime\fR[\fB:\fR\fItime\fR]
34Match remaining lifetime in seconds against given value or range of values
35(inclusive)
36.TP
37\fB--ctdir\fR {\fBORIGINAL\fR|\fBREPLY\fR}
38Match packets that are flowing in the specified direction. If this flag is not
39specified at all, matches packets in both directions.
40.PP
41States for \fB--ctstate\fR:
42.TP
43\fBINVALID\fR
44meaning that the packet is associated with no known connection
45.TP
46\fBNEW\fR
47meaning that the packet has started a new connection, or otherwise associated
48with a connection which has not seen packets in both directions, and
49.TP
50\fBESTABLISHED\fR
51meaning that the packet is associated with a connection which has seen packets
52in both directions,
53.TP
54\fBRELATED\fR
55meaning that the packet is starting a new connection, but is associated with an
56existing connection, such as an FTP data transfer, or an ICMP error.
57.TP
58\fBSNAT\fR
59A virtual state, matching if the original source address differs from the reply
60destination.
61.TP
62\fBDNAT\fR
63A virtual state, matching if the original destination differs from the reply
64source.
65.PP
66Statuses for \fB--ctstatus\fR:
67.TP
68\fBNONE\fR
69None of the below.
70.TP
71\fBEXPECTED\fR
72This is an expected connection (i.e. a conntrack helper set it up)
73.TP
74\fBSEEN_REPLY\fR
75Conntrack has seen packets in both directions.
76.TP
77\fBASSURED\fR
78Conntrack entry should never be early-expired.
79.TP
80\fBCONFIRMED\fR
81Connection is confirmed: originating packet has left box.
82