1*a71a9546SAutomerger Merge WorkerThis module, when combined with connection tracking, allows access to the 2*a71a9546SAutomerger Merge Workerconnection tracking state for this packet/connection. 3*a71a9546SAutomerger Merge Worker.TP 4*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-ctstate\fP \fIstatelist\fP 5*a71a9546SAutomerger Merge Worker\fIstatelist\fP is a comma separated list of the connection states to match. 6*a71a9546SAutomerger Merge WorkerPossible states are listed below. 7*a71a9546SAutomerger Merge Worker.TP 8*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-ctproto\fP \fIl4proto\fP 9*a71a9546SAutomerger Merge WorkerLayer-4 protocol to match (by number or name) 10*a71a9546SAutomerger Merge Worker.TP 11*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-ctorigsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] 12*a71a9546SAutomerger Merge Worker.TP 13*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-ctorigdst\fP \fIaddress\fP[\fB/\fP\fImask\fP] 14*a71a9546SAutomerger Merge Worker.TP 15*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-ctreplsrc\fP \fIaddress\fP[\fB/\fP\fImask\fP] 16*a71a9546SAutomerger Merge Worker.TP 17*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-ctrepldst\fP \fIaddress\fP[\fB/\fP\fImask\fP] 18*a71a9546SAutomerger Merge WorkerMatch against original/reply source/destination address 19*a71a9546SAutomerger Merge Worker.TP 20*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-ctorigsrcport\fP \fIport\fP[\fB:\fP\fIport\fP] 21*a71a9546SAutomerger Merge Worker.TP 22*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-ctorigdstport\fP \fIport\fP[\fB:\fP\fIport\fP] 23*a71a9546SAutomerger Merge Worker.TP 24*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-ctreplsrcport\fP \fIport\fP[\fB:\fP\fIport\fP] 25*a71a9546SAutomerger Merge Worker.TP 26*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-ctrepldstport\fP \fIport\fP[\fB:\fP\fIport\fP] 27*a71a9546SAutomerger Merge WorkerMatch against original/reply source/destination port (TCP/UDP/etc.) or GRE key. 28*a71a9546SAutomerger Merge WorkerMatching against port ranges is only supported in kernel versions above 2.6.38. 29*a71a9546SAutomerger Merge Worker.TP 30*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-ctstatus\fP \fIstatelist\fP 31*a71a9546SAutomerger Merge Worker\fIstatuslist\fP is a comma separated list of the connection statuses to match. 32*a71a9546SAutomerger Merge WorkerPossible statuses are listed below. 33*a71a9546SAutomerger Merge Worker.TP 34*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-ctexpire\fP \fItime\fP[\fB:\fP\fItime\fP] 35*a71a9546SAutomerger Merge WorkerMatch remaining lifetime in seconds against given value or range of values 36*a71a9546SAutomerger Merge Worker(inclusive) 37*a71a9546SAutomerger Merge Worker.TP 38*a71a9546SAutomerger Merge Worker\fB\-\-ctdir\fP {\fBORIGINAL\fP|\fBREPLY\fP} 39*a71a9546SAutomerger Merge WorkerMatch packets that are flowing in the specified direction. If this flag is not 40*a71a9546SAutomerger Merge Workerspecified at all, matches packets in both directions. 41*a71a9546SAutomerger Merge Worker.PP 42*a71a9546SAutomerger Merge WorkerStates for \fB\-\-ctstate\fP: 43*a71a9546SAutomerger Merge Worker.TP 44*a71a9546SAutomerger Merge Worker\fBINVALID\fP 45*a71a9546SAutomerger Merge WorkerThe packet is associated with no known connection. 46*a71a9546SAutomerger Merge Worker.TP 47*a71a9546SAutomerger Merge Worker\fBNEW\fP 48*a71a9546SAutomerger Merge WorkerThe packet has started a new connection or otherwise associated 49*a71a9546SAutomerger Merge Workerwith a connection which has not seen packets in both directions. 50*a71a9546SAutomerger Merge Worker.TP 51*a71a9546SAutomerger Merge Worker\fBESTABLISHED\fP 52*a71a9546SAutomerger Merge WorkerThe packet is associated with a connection which has seen packets 53*a71a9546SAutomerger Merge Workerin both directions. 54*a71a9546SAutomerger Merge Worker.TP 55*a71a9546SAutomerger Merge Worker\fBRELATED\fP 56*a71a9546SAutomerger Merge WorkerThe packet is starting a new connection, but is associated with an 57*a71a9546SAutomerger Merge Workerexisting connection, such as an FTP data transfer or an ICMP error. 58*a71a9546SAutomerger Merge Worker.TP 59*a71a9546SAutomerger Merge Worker\fBUNTRACKED\fP 60*a71a9546SAutomerger Merge WorkerThe packet is not tracked at all, which happens if you explicitly untrack it 61*a71a9546SAutomerger Merge Workerby using \-j CT \-\-notrack in the raw table. 62*a71a9546SAutomerger Merge Worker.TP 63*a71a9546SAutomerger Merge Worker\fBSNAT\fP 64*a71a9546SAutomerger Merge WorkerA virtual state, matching if the original source address differs from the reply 65*a71a9546SAutomerger Merge Workerdestination. 66*a71a9546SAutomerger Merge Worker.TP 67*a71a9546SAutomerger Merge Worker\fBDNAT\fP 68*a71a9546SAutomerger Merge WorkerA virtual state, matching if the original destination differs from the reply 69*a71a9546SAutomerger Merge Workersource. 70*a71a9546SAutomerger Merge Worker.PP 71*a71a9546SAutomerger Merge WorkerStatuses for \fB\-\-ctstatus\fP: 72*a71a9546SAutomerger Merge Worker.TP 73*a71a9546SAutomerger Merge Worker\fBNONE\fP 74*a71a9546SAutomerger Merge WorkerNone of the below. 75*a71a9546SAutomerger Merge Worker.TP 76*a71a9546SAutomerger Merge Worker\fBEXPECTED\fP 77*a71a9546SAutomerger Merge WorkerThis is an expected connection (i.e. a conntrack helper set it up). 78*a71a9546SAutomerger Merge Worker.TP 79*a71a9546SAutomerger Merge Worker\fBSEEN_REPLY\fP 80*a71a9546SAutomerger Merge WorkerConntrack has seen packets in both directions. 81*a71a9546SAutomerger Merge Worker.TP 82*a71a9546SAutomerger Merge Worker\fBASSURED\fP 83*a71a9546SAutomerger Merge WorkerConntrack entry should never be early-expired. 84*a71a9546SAutomerger Merge Worker.TP 85*a71a9546SAutomerger Merge Worker\fBCONFIRMED\fP 86*a71a9546SAutomerger Merge WorkerConnection is confirmed: originating packet has left box. 87