Man page - tc-ct(8)
Packages contas this manual
- tc-basic(8)
- ip-l2tp(8)
- tc-hfsc(8)
- vdpa-mgmtdev(8)
- devlink(8)
- devlink-sb(8)
- tipc(8)
- rdma(8)
- devlink-lc(8)
- ip-address(8)
- tc-cgroup(8)
- tipc-socket(8)
- lnstat(8)
- tipc-peer(8)
- tc-vlan(8)
- tc-skbprio(8)
- ip-mptcp(8)
- dcb(8)
- tc-pie(8)
- ip-maddress(8)
- tc-prio(8)
- libnetlink(3)
- ip-neighbour(8)
- tc-route(8)
- dcb-rewr(8)
- tc-ematch(8)
- ip-route(8)
- routel(8)
- devlink-dev(8)
- ip-nexthop(8)
- rdma-resource(8)
- ss(8)
- tc-fw(8)
- ip-xfrm(8)
- tc-etf(8)
- tc-skbedit(8)
- tc-gate(8)
- ip-ioam(8)
- tc-connmark(8)
- tc-sample(8)
- ip-monitor(8)
- tc-flower(8)
- tc-pedit(8)
- ip-stats(8)
- tipc-node(8)
- rtacct(8)
- dcb-maxrate(8)
- tc-drr(8)
- tc-red(8)
- dcb-app(8)
- tipc-bearer(8)
- ip-sr(8)
- tc-fq_codel(8)
- tc-police(8)
- tc-netem(8)
- tc-bpf(8)
- dcb-ets(8)
- devlink-monitor(8)
- tc-codel(8)
- tc-choke(8)
- dcb-apptrust(8)
- tc-sfb(8)
- devlink-port(8)
- tc-flow(8)
- vdpa-dev(8)
- tc-tunnel_key(8)
- ip-rule(8)
- devlink-rate(8)
- tc-ets(8)
- tipc-media(8)
- tc-matchall(8)
- dcb-pfc(8)
- rdma-link(8)
- tc-skbmod(8)
- tc-ct(8)
- tc-ife(8)
- ctstat(8)
- ip-netns(8)
- devlink-trap(8)
- tc-hfsc(7)
- ip-token(8)
- ip-link(8)
- rdma-statistic(8)
- bridge(8)
- dcb-buffer(8)
- devlink-resource(8)
- tc-u32(8)
- tc-stab(8)
- vdpa(8)
- devlink-health(8)
- ip-addrlabel(8)
- ip-netconf(8)
- devlink-region(8)
- tc-simple(8)
- tc-bfifo(8)
- tc-ctinfo(8)
- ip-tcp_metrics(8)
- tc-gact(8)
- rdma-system(8)
- devlink-dpipe(8)
- tc-actions(8)
- ip-macsec(8)
- tc(8)
- genl(8)
- nstat(8)
- tc-sfq(8)
- dcb-dcbx(8)
- arpd(8)
- tc-htb(8)
- tc-mpls(8)
- tc-nat(8)
- ip-gue(8)
- rdma-monitor(8)
- rtstat(8)
- tc-mirred(8)
- tc-taprio(8)
- rdma-dev(8)
- tc-tbf(8)
- tc-pfifo_fast(8)
- ip-ntable(8)
- tc-csum(8)
- tc-mqprio(8)
- rtmon(8)
- tc-fq_pie(8)
- tc-fq(8)
- ip-vrf(8)
- ip-mroute(8)
- tc-pfifo(8)
- tc-cake(8)
- tc-cbs(8)
- ip(8)
- tipc-nametable(8)
- ip-tunnel(8)
- ip-fou(8)
- tipc-link(8)
apt-get install iproute2
Manual
| ct action in tc(8) | Linux | ct action in tc(8) |
NAME
ct - tc connection tracking action
SYNOPSIS
tc ... action ct commit [ force ] [ zone ZONE ] [ mark MASKED_MARK ] [ label MASKED_LABEL ] [ nat NAT_SPEC ]
tc ... action ct [ nat ] [ zone ZONE ]
tc ... action ct clear
DESCRIPTION
The ct action is a tc action for sending packets and interacting with the netfilter conntrack module.
It can (as shown in the synopsis, in order):
Send the packet to conntrack, and commit the connection, while configuring a 32bit mark, 128bit label, and src/dst nat.
Send the packet to conntrack, which will mark the packet with the connection's state and configured metadata (mark/label), and execute previous configured nat.
Clear the packet's of previous connection tracking state.
OPTIONS
- zone ZONE
- Specify a conntrack zone number on which to send the packet to conntrack.
- mark MASKED_MARK
- Specify a masked 32bit mark to set for the connection (only valid with commit).
- label MASKED_LABEL
- Specify a masked 128bit label to set for the connection (only valid with commit).
- nat NAT_SPEC
- Where NAT_SPEC := {src|dst} addr
addr1[-addr2] [port
port1[-port2]]
Specify src/dst and range of nat to configure for the connection (only valid with commit).
- src/dst - configure src or dst nat
- addr1/addr2 - IPv4/IPv6 addresses
- port1/port2 - Port numbers
- nat
- Restore any previous configured nat.
- clear
- Remove any conntrack state and metadata (mark/label) from the packet (must only option specified).
- force
- Forces conntrack direction for a previously committed connections, so that current direction will become the original direction (only valid with commit).
EXAMPLES
Example showing natted firewall in conntrack zone 2, and conntrack mark usage:
#Add ingress qdisc on eth0 and eth1 interfaces
$ tc qdisc add dev eth0 ingress $ tc qdisc add dev eth1 ingress #Setup filters on eth0, allowing opening new connections in zone 2, and doing src nat + mark for each new connection $ tc filter add dev eth0 ingress prio 1 chain 0 proto ip flower ip_proto tcp ct_state -trk \ action ct zone 2 pipe action goto chain 2 $ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ct_state +trk+new \ action ct zone 2 commit mark 0xbb nat src addr 5.5.5.7 pipe action mirred egress redirect dev eth1 $ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ct_zone 2 ct_mark 0xbb ct_state +trk+est \ action ct nat pipe action mirred egress redirect dev eth1 #Setup filters on eth1, allowing only established connections of zone 2 through, and reverse nat (dst nat in this case) $ tc filter add dev eth1 ingress prio 1 chain 0 proto ip flower ip_proto tcp ct_state -trk \ action ct zone 2 pipe action goto chain 1 $ tc filter add dev eth1 ingress prio 1 chain 1 proto ip flower ct_zone 2 ct_mark 0xbb ct_state +trk+est \ action ct nat pipe action mirred egress redirect dev eth0
SEE ALSO
tc(8), tc-flower(8) tc-mirred(8)
AUTHORS
Paul Blakey <paulb@mellanox.com>
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Yossi Kuperman <yossiku@mellanox.com>
| 14 May 2020 | iproute2 |