Family conntrack netlink specification

Summary

Netfilter connection tracking subsystem over nfnetlink

Operations

get

get / dump entries

attribute-set:

conntrack-attrs

fixed-header:

nfgenmsg

do:

request

attributes:

[tuple-orig, tuple-reply, zone]

reply

attributes:

[tuple-orig, tuple-reply, status, protoinfo, help, nat-src, nat-dst, timeout, mark, counter-orig, counter-reply, use, id, nat-dst, tuple-master, seq-adj-orig, seq-adj-reply, zone, secctx, labels, synproxy]

dump:

request

attributes:

[nfgen-family, mark, filter, status, zone]

reply

attributes:

[tuple-orig, tuple-reply, status, protoinfo, help, nat-src, nat-dst, timeout, mark, counter-orig, counter-reply, use, id, nat-dst, tuple-master, seq-adj-orig, seq-adj-reply, zone, secctx, labels, synproxy]

get-stats

dump pcpu conntrack stats

attribute-set:

conntrack-stats-attrs

fixed-header:

nfgenmsg

dump:

request

reply

attributes:

[searched, found, insert, insert-failed, drop, early-drop, error, search-restart, clash-resolve, chain-toolong]

Definitions

nfgenmsg

type:

struct

members:

nfgen-family (u8):

version (u8):

res-id (u16):

nf-ct-tcp-flags-mask

type:

struct

members:

flags (u8):

mask (u8):

nf-ct-tcp-flags

type:

flags

entries:

• window-scale

• sack-perm

• close-init

• be-liberal

• unacked

• maxack

• challenge-ack

• simultaneous-open

nf-ct-tcp-state

type:

enum

entries:

• none

• syn-sent

• syn-recv

• established

• fin-wait

• close-wait

• last-ack

• time-wait

• close

• syn-sent2

• max

• ignore

• retrans

• unack

• timeout-max

nf-ct-sctp-state

type:

enum

entries:

• none

• cloned

• cookie-wait

• cookie-echoed

• established

• shutdown-sent

• shutdown-received

• shutdown-ack-sent

• shutdown-heartbeat-sent

nf-ct-status

type:

flags

entries:

• expected

• seen-reply

• assured

• confirmed

• src-nat

• dst-nat

• seq-adj

• src-nat-done

• dst-nat-done

• dying

• fixed-timeout

• template

• nat-clash

• helper

• offload

• hw-offload

Attribute sets

counter-attrs

packets (u64)

byte-order:

big-endian

bytes (u64)

byte-order:

big-endian

packets-old (u32)

bytes-old (u32)

pad (pad)

tuple-proto-attrs

proto-num (u8)

doc:

l4 protocol number

proto-src-port (u16)

byte-order:

big-endian

doc:

l4 source port

proto-dst-port (u16)

byte-order:

big-endian

doc:

l4 source port

proto-icmp-id (u16)

byte-order:

big-endian

doc:

l4 icmp id

proto-icmp-type (u8)

proto-icmp-code (u8)

proto-icmpv6-id (u16)

byte-order:

big-endian

doc:

l4 icmp id

proto-icmpv6-type (u8)

proto-icmpv6-code (u8)

tuple-ip-attrs

ip-v4-src (u32)

byte-order:

big-endian

display-hint:

ipv4

doc:

ipv4 source address

ip-v4-dst (u32)

byte-order:

big-endian

display-hint:

ipv4

doc:

ipv4 destination address

ip-v6-src (binary)

byte-order:

big-endian

display-hint:

ipv6

doc:

ipv6 source address

ip-v6-dst (binary)

byte-order:

big-endian

display-hint:

ipv6

doc:

ipv6 destination address

tuple-attrs

tuple-ip (nest)

nested-attributes:

tuple-ip-attrs

doc:

conntrack l3 information

tuple-proto (nest)

nested-attributes:

tuple-proto-attrs

doc:

conntrack l4 information

tuple-zone (u16)

byte-order:

big-endian

doc:

conntrack zone id

protoinfo-tcp-attrs

tcp-state (u8)

enum:

nf-ct-tcp-state

doc:

tcp connection state

tcp-wscale-original (u8)

doc:

window scaling factor in original direction

tcp-wscale-reply (u8)

doc:

window scaling factor in reply direction

tcp-flags-original (binary)

struct:

nf-ct-tcp-flags-mask

tcp-flags-reply (binary)

struct:

nf-ct-tcp-flags-mask

protoinfo-dccp-attrs

dccp-state (u8)

doc:

dccp connection state

dccp-role (u8)

dccp-handshake-seq (u64)

byte-order:

big-endian

dccp-pad (pad)

protoinfo-sctp-attrs

sctp-state (u8)

doc:

sctp connection state

enum:

nf-ct-sctp-state

vtag-original (u32)

byte-order:

big-endian

vtag-reply (u32)

byte-order:

big-endian

protoinfo-attrs

protoinfo-tcp (nest)

nested-attributes:

protoinfo-tcp-attrs

doc:

conntrack tcp state information

protoinfo-dccp (nest)

nested-attributes:

protoinfo-dccp-attrs

doc:

conntrack dccp state information

protoinfo-sctp (nest)

nested-attributes:

protoinfo-sctp-attrs

doc:

conntrack sctp state information

help-attrs

help-name (string)

doc:

helper name

nat-proto-attrs

nat-port-min (u16)

byte-order:

big-endian

nat-port-max (u16)

byte-order:

big-endian

nat-attrs

nat-v4-minip (u32)

byte-order:

big-endian

nat-v4-maxip (u32)

byte-order:

big-endian

nat-v6-minip (binary)

nat-v6-maxip (binary)

nat-proto (nest)

nested-attributes:

nat-proto-attrs

seqadj-attrs

correction-pos (u32)

byte-order:

big-endian

offset-before (u32)

byte-order:

big-endian

offset-after (u32)

byte-order:

big-endian

secctx-attrs

secctx-name (string)

synproxy-attrs

isn (u32)

byte-order:

big-endian

its (u32)

byte-order:

big-endian

tsoff (u32)

byte-order:

big-endian

conntrack-attrs

tuple-orig (nest)

nested-attributes:

tuple-attrs

doc:

conntrack l3+l4 protocol information, original direction

tuple-reply (nest)

nested-attributes:

tuple-attrs

doc:

conntrack l3+l4 protocol information, reply direction

status (u32)

byte-order:

big-endian

enum:

nf-ct-status

enum-as-flags:

True

doc:

conntrack flag bits

protoinfo (nest)

nested-attributes:

protoinfo-attrs

help (nest)

nested-attributes:

help-attrs

nat-src (nest)

nested-attributes:

nat-attrs

timeout (u32)

byte-order:

big-endian

mark (u32)

byte-order:

big-endian

counters-orig (nest)

nested-attributes:

counter-attrs

counters-reply (nest)

nested-attributes:

counter-attrs

use (u32)

byte-order:

big-endian

id (u32)

byte-order:

big-endian

nat-dst (nest)

nested-attributes:

nat-attrs

tuple-master (nest)

nested-attributes:

tuple-attrs

seq-adj-orig (nest)

nested-attributes:

seqadj-attrs

seq-adj-reply (nest)

nested-attributes:

seqadj-attrs

secmark (binary)

doc:

obsolete

zone (u16)

byte-order:

big-endian

doc:

conntrack zone id

secctx (nest)

nested-attributes:

secctx-attrs

timestamp (u64)

byte-order:

big-endian

mark-mask (u32)

byte-order:

big-endian

labels (binary)

labels mask (binary)

synproxy (nest)

nested-attributes:

synproxy-attrs

filter (nest)

nested-attributes:

tuple-attrs

status-mask (u32)

byte-order:

big-endian

enum:

nf-ct-status

enum-as-flags:

True

doc:

conntrack flag bits to change

timestamp-event (u64)

byte-order:

big-endian

conntrack-stats-attrs

searched (u32)

byte-order:

big-endian

doc:

obsolete

found (u32)

byte-order:

big-endian

new (u32)

byte-order:

big-endian

doc:

obsolete

invalid (u32)

byte-order:

big-endian

doc:

obsolete

ignore (u32)

byte-order:

big-endian

doc:

obsolete

delete (u32)

byte-order:

big-endian

doc:

obsolete

delete-list (u32)

byte-order:

big-endian

doc:

obsolete

insert (u32)

byte-order:

big-endian

insert-failed (u32)

byte-order:

big-endian

drop (u32)

byte-order:

big-endian

early-drop (u32)

byte-order:

big-endian

error (u32)

byte-order:

big-endian

search-restart (u32)

byte-order:

big-endian

clash-resolve (u32)

byte-order:

big-endian

chain-toolong (u32)

byte-order:

big-endian