1 This module, when combined with connection tracking, allows access to the 2 connection tracking state for this packet/connection. 3 .TP 4 [\fB!\fP] \fB\-\-ctstate\fP \fIstatelist\fP 5 \fIstatelist\fP is a comma separated list of the connection states to match. 6 Possible states are listed below. 7 .TP 8 [\fB!\fP] \fB\-\-ctproto\fP \fIl4proto\fP 9 Layer-4 protocol to match (by number or name) 10 .TP 11 [\fB!\fP] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] 12 .TP 13 [\fB!\fP] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP] 14 .TP 15 [\fB!\fP] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] 16 .TP 17 [\fB!\fP] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP] 18 Match against original/reply source/destination address 19 .TP 20 [\fB!\fP] \fB\-\-ctorigsrcport\fP \fIport\fP[\fB:\fP\fIport\fP] 21 .TP 22 [\fB!\fP] \fB\-\-ctorigdstport\fP \fIport\fP[\fB:\fP\fIport\fP] 23 .TP 24 [\fB!\fP] \fB\-\-ctreplsrcport\fP \fIport\fP[\fB:\fP\fIport\fP] 25 .TP 26 [\fB!\fP] \fB\-\-ctrepldstport\fP \fIport\fP[\fB:\fP\fIport\fP] 27 Match against original/reply source/destination port (TCP/UDP/etc.) or GRE key. 28 Matching against port ranges is only supported in kernel versions above 2.6.38. 29 .TP 30 [\fB!\fP] \fB\-\-ctstatus\fP \fIstatelist\fP 31 \fIstatuslist\fP is a comma separated list of the connection statuses to match. 32 Possible statuses are listed below. 33 .TP 34 [\fB!\fP] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP] 35 Match remaining lifetime in seconds against given value or range of values 36 (inclusive) 37 .TP 38 \fB\-\-ctdir\fP {\fBORIGINAL\fP|\fBREPLY\fP} 39 Match packets that are flowing in the specified direction. If this flag is not 40 specified at all, matches packets in both directions. 41 .PP 42 States for \fB\-\-ctstate\fP: 43 .TP 44 \fBINVALID\fP 45 The packet is associated with no known connection. 46 .TP 47 \fBNEW\fP 48 The packet has started a new connection, or otherwise associated 49 with a connection which has not seen packets in both directions. 50 .TP 51 \fBESTABLISHED\fP 52 The packet is associated with a connection which has seen packets 53 in both directions. 54 .TP 55 \fBRELATED\fP 56 The packet is starting a new connection, but is associated with an 57 existing connection, such as an FTP data transfer, or an ICMP error. 58 .TP 59 \fBUNTRACKED\fP 60 The packet is not tracked at all, which happens if you explicitly untrack it 61 by using \-j CT \-\-notrack in the raw table. 62 .TP 63 \fBSNAT\fP 64 A virtual state, matching if the original source address differs from the reply 65 destination. 66 .TP 67 \fBDNAT\fP 68 A virtual state, matching if the original destination differs from the reply 69 source. 70 .PP 71 Statuses for \fB\-\-ctstatus\fP: 72 .TP 73 \fBNONE\fP 74 None of the below. 75 .TP 76 \fBEXPECTED\fP 77 This is an expected connection (i.e. a conntrack helper set it up). 78 .TP 79 \fBSEEN_REPLY\fP 80 Conntrack has seen packets in both directions. 81 .TP 82 \fBASSURED\fP 83 Conntrack entry should never be early-expired. 84 .TP 85 \fBCONFIRMED\fP 86 Connection is confirmed: originating packet has left box. 87
