1 This module, when combined with connection tracking, allows access to the
2 connection tracking state for this packet/connection.
4 [\fB!\fR] \fB--ctstate\fR \fIstatelist\fR
5 \fIstatelist\fR is a comma separated list of the connection states to match.
6 Possible states are listed below.
8 [\fB!\fR] \fB--ctproto\fR \fIl4proto\fR
9 Layer-4 protocol to match (by number or name)
11 [\fB!\fR] \fB--ctorigsrc\fR \fIaddress\fR[\fB/\fR\fImask\fR]
13 [\fB!\fR] \fB--ctorigdst\fR \fIaddress\fR[\fB/\fR\fImask\fR]
15 [\fB!\fR] \fB--ctreplsrc\fR \fIaddress\fR[\fB/\fR\fImask\fR]
17 [\fB!\fR] \fB--ctrepldst\fR \fIaddress\fR[\fB/\fR\fImask\fR]
18 Match against original/reply source/destination address
20 [\fB!\fR] \fB--ctorigsrcport\fR \fIport\fR
22 [\fB!\fR] \fB--ctorigdstport\fR \fIport\fR
24 [\fB!\fR] \fB--ctreplsrcport\fR \fIport\fR
26 [\fB!\fR] \fB--ctrepldstport\fR \fIport\fR
27 Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key.
29 [\fB!\fR] \fB--ctstatus\fR \fIstatelist\fR
30 \fIstatuslist\fR is a comma separated list of the connection statuses to match.
31 Possible statuses are listed below.
33 [\fB!\fR] \fB--ctexpire\fR \fItime\fR[\fB:\fR\fItime\fR]
34 Match remaining lifetime in seconds against given value or range of values
37 \fB--ctdir\fR {\fBORIGINAL\fR|\fBREPLY\fR}
38 Match packets that are flowing in the specified direction. If this flag is not
39 specified at all, matches packets in both directions.
41 States for \fB--ctstate\fR:
44 meaning that the packet is associated with no known connection
47 meaning that the packet has started a new connection, or otherwise associated
48 with a connection which has not seen packets in both directions, and
51 meaning that the packet is associated with a connection which has seen packets
55 meaning that the packet is starting a new connection, but is associated with an
56 existing connection, such as an FTP data transfer, or an ICMP error.
59 A virtual state, matching if the original source address differs from the reply
63 A virtual state, matching if the original destination differs from the reply
66 Statuses for \fB--ctstatus\fR:
72 This is an expected connection (i.e. a conntrack helper set it up)
75 Conntrack has seen packets in both directions.
78 Conntrack entry should never be early-expired.
81 Connection is confirmed: originating packet has left box.