The Linux Kernel Logo
  • Development process
  • Submitting patches
  • Code of conduct
  • Maintainer handbook
  • All development-process docs
  • Core API
  • Driver APIs
  • Subsystems
    • Core subsystems
    • Human interfaces
    • Networking interfaces
      • Networking
        • AF_XDP
        • Bare UDP Tunnelling Module Documentation
        • batman-adv
        • SocketCAN - Controller Area Network
        • The UCAN Protocol
        • Hardware Device Drivers
        • Networking Diagnostics
        • Distributed Switch Architecture
        • Linux Devlink Documentation
        • CAIF
        • Netlink interface for ethtool
        • IEEE 802.15.4 Developer’s Guide
        • ISO 15765-2 (ISO-TP)
        • J1939 Documentation
        • Linux Networking and Network Devices APIs
        • MSG_ZEROCOPY
        • FAILOVER
        • Net DIM - Generic Network Dynamic Interrupt Moderation
        • NET_FAILOVER
        • Page Pool API
        • PHY Abstraction Layer
        • phylink
        • IP-Aliasing
        • Ethernet Bridging
        • SNMP counter
        • Checksum Offloads
        • Segmentation Offloads
        • Scaling in the Linux Networking Stack
        • Kernel TLS
        • Kernel TLS offload
        • In-Kernel TLS Handshake
        • Linux NFC subsystem
        • Netdev private dataroom for 6lowpan interfaces
        • 6pack Protocol
        • ARCnet Hardware
        • ARCnet
        • ATM
        • AX.25
        • Linux Ethernet Bonding Driver HOWTO
        • cdc_mbim - Driver for CDC MBIM Mobile Broadband modems
        • DCCP protocol
        • DCTCP (DataCenter TCP)
        • Device Memory TCP
        • DNS Resolver Module
        • Softnet Driver Issues
        • EQL Driver: Serial IP Load Balancing HOWTO
        • LC-trie implementation notes
        • Linux Socket Filtering aka Berkeley Packet Filter (BPF)
        • Generic HDLC layer
        • Generic Netlink
        • Netlink Family Specifications
          • Family conntrack netlink specification
            • Summary
            • Operations
              • get
              • get-stats
            • Definitions
              • nfgenmsg
              • nf-ct-tcp-flags-mask
              • nf-ct-tcp-flags
              • nf-ct-tcp-state
              • nf-ct-sctp-state
              • nf-ct-status
            • Attribute sets
              • counter-attrs
                • packets (u64)
                • bytes (u64)
                • packets-old (u32)
                • bytes-old (u32)
                • pad (pad)
              • tuple-proto-attrs
                • proto-num (u8)
                • proto-src-port (u16)
                • proto-dst-port (u16)
                • proto-icmp-id (u16)
                • proto-icmp-type (u8)
                • proto-icmp-code (u8)
                • proto-icmpv6-id (u16)
                • proto-icmpv6-type (u8)
                • proto-icmpv6-code (u8)
              • tuple-ip-attrs
                • ip-v4-src (u32)
                • ip-v4-dst (u32)
                • ip-v6-src (binary)
                • ip-v6-dst (binary)
              • tuple-attrs
                • tuple-ip (nest)
                • tuple-proto (nest)
                • tuple-zone (u16)
              • protoinfo-tcp-attrs
                • tcp-state (u8)
                • tcp-wscale-original (u8)
                • tcp-wscale-reply (u8)
                • tcp-flags-original (binary)
                • tcp-flags-reply (binary)
              • protoinfo-dccp-attrs
                • dccp-state (u8)
                • dccp-role (u8)
                • dccp-handshake-seq (u64)
                • dccp-pad (pad)
              • protoinfo-sctp-attrs
                • sctp-state (u8)
                • vtag-original (u32)
                • vtag-reply (u32)
              • protoinfo-attrs
                • protoinfo-tcp (nest)
                • protoinfo-dccp (nest)
                • protoinfo-sctp (nest)
              • help-attrs
                • help-name (string)
              • nat-proto-attrs
                • nat-port-min (u16)
                • nat-port-max (u16)
              • nat-attrs
                • nat-v4-minip (u32)
                • nat-v4-maxip (u32)
                • nat-v6-minip (binary)
                • nat-v6-maxip (binary)
                • nat-proto (nest)
              • seqadj-attrs
                • correction-pos (u32)
                • offset-before (u32)
                • offset-after (u32)
              • secctx-attrs
                • secctx-name (string)
              • synproxy-attrs
                • isn (u32)
                • its (u32)
                • tsoff (u32)
              • conntrack-attrs
                • tuple-orig (nest)
                • tuple-reply (nest)
                • status (u32)
                • protoinfo (nest)
                • help (nest)
                • nat-src (nest)
                • timeout (u32)
                • mark (u32)
                • counters-orig (nest)
                • counters-reply (nest)
                • use (u32)
                • id (u32)
                • nat-dst (nest)
                • tuple-master (nest)
                • seq-adj-orig (nest)
                • seq-adj-reply (nest)
                • secmark (binary)
                • zone (u16)
                • secctx (nest)
                • timestamp (u64)
                • mark-mask (u32)
                • labels (binary)
                • labels mask (binary)
                • synproxy (nest)
                • filter (nest)
                • status-mask (u32)
                • timestamp-event (u64)
              • conntrack-stats-attrs
                • searched (u32)
                • found (u32)
                • new (u32)
                • invalid (u32)
                • ignore (u32)
                • delete (u32)
                • delete-list (u32)
                • insert (u32)
                • insert-failed (u32)
                • drop (u32)
                • early-drop (u32)
                • error (u32)
                • search-restart (u32)
                • clash-resolve (u32)
                • chain-toolong (u32)
          • Family devlink netlink specification
          • Family dpll netlink specification
          • Family ethtool netlink specification
          • Family fou netlink specification
          • Family handshake netlink specification
          • Family lockd netlink specification
          • Family mptcp_pm netlink specification
          • Family net-shaper netlink specification
          • Family netdev netlink specification
          • Family nfsd netlink specification
          • Family nftables netlink specification
          • Family nl80211 netlink specification
          • Family nlctrl netlink specification
          • Family ovs_datapath netlink specification
          • Family ovs_flow netlink specification
          • Family ovs_vport netlink specification
          • Family rt-addr netlink specification
          • Family rt-link netlink specification
          • Family rt-neigh netlink specification
          • Family rt-route netlink specification
          • Family rt-rule netlink specification
          • Family tc netlink specification
          • Family tcp_metrics netlink specification
          • Family team netlink specification
        • Generic networking statistics for netlink users
        • The Linux kernel GTP tunneling module
        • Identifier Locator Addressing (ILA)
        • IOAM6 Sysfs variables
        • io_uring zero copy Rx
        • IP dynamic address hack-port v0.03
        • IPsec
        • IP Sysctl
        • IPv6
        • IPVLAN Driver HOWTO
        • IPvs-sysctl
        • Kernel Connection Multiplexor
        • L2TP
        • The Linux LAPB Module Interface
        • How to use packet injection with mac80211
        • Management Component Transport Protocol (MCTP)
        • MPLS Sysfs variables
        • Multipath TCP (MPTCP)
        • MPTCP Sysfs variables
        • HOWTO for multiqueue network device support
        • Multi-PF Netdev
        • NAPI
        • Common Networking Struct Cachelines
        • Netconsole
        • Netdev features mess and how to get out from it alive
        • Network Devices, the Kernel, and You!
        • Netfilter Sysfs variables
        • NETIF Msg Level
        • Netmem Support for Network Drivers
        • Resilient Next-hop Groups
        • Netfilter Conntrack Sysfs variables
        • Netfilter’s flowtable infrastructure
        • OPEN Alliance 10BASE-T1x MAC-PHY Serial Interface (TC6) Framework Support
        • Open vSwitch datapath developer documentation
        • Operational States
        • Packet MMAP
        • Linux Phonet protocol family
        • PHY link topology
        • HOWTO for the linux packet generator
        • PLIP: The Parallel Line Internet Protocol Device
        • PPP Generic Driver and Channel Interface
        • The proc/net/tcp and proc/net/tcp6 variables
        • Power Sourcing Equipment (PSE) Documentation
        • How to use radiotap headers
        • RDS
        • Linux wireless regulatory documentation
        • Network Function Representors
        • RxRPC Network Protocol
        • SOCKET OPTIONS
        • SECURITY
        • EXAMPLE CLIENT USAGE
        • Linux Kernel SCTP
        • LSM/SeLinux secid
        • Seg6 Sysfs variables
        • struct sk_buff
        • SMC Sysctl
        • NIC SR-IOV APIs
        • Interface statistics
        • Stream Parser (strparser)
        • Ethernet switch device driver model (switchdev)
        • Sysfs tagging
        • TC Actions - Environmental Rules
        • TC queue based filtering
        • TCP Authentication Option Linux implementation (RFC5925)
        • Thin-streams and TCP
        • Team
        • Timestamping
        • Linux Kernel TIPC
        • Transparent proxy support
        • Universal TUN/TAP device driver
        • The UDP-Lite protocol (RFC 3828)
        • Virtual Routing and Forwarding (VRF)
        • Virtual eXtensible Local Area Networking documentation
        • Linux X.25 Project
        • X.25 Device Driver Interface
        • XFRM device - offloading the IPsec computations
        • XFRM proc - /proc/net/xfrm_* files
        • XFRM
        • XFRM Syscall
        • XDP RX Metadata
        • AF_XDP TX Metadata
      • NetLabel
      • InfiniBand
      • ISDN
      • MHI
    • Storage interfaces
    • Other subsystems
  • Locking
  • Licensing rules
  • Writing documentation
  • Development tools
  • Testing guide
  • Hacking guide
  • Tracing
  • Fault injection
  • Livepatching
  • Rust
  • Administration
  • Build system
  • Reporting issues
  • Userspace tools
  • Userspace API
  • Firmware
  • Firmware and Devicetree
  • CPU architectures
  • Unsorted documentation
  • Translations
The Linux Kernel
  • Kernel subsystem documentation
  • Networking
  • Netlink Family Specifications
  • Family conntrack netlink specification
  • View page source

Family conntrack netlink specification¶

Contents

  • Family conntrack netlink specification

    • Summary

    • Operations

      • get

      • get-stats

    • Definitions

      • nfgenmsg

      • nf-ct-tcp-flags-mask

      • nf-ct-tcp-flags

      • nf-ct-tcp-state

      • nf-ct-sctp-state

      • nf-ct-status

    • Attribute sets

      • counter-attrs

      • tuple-proto-attrs

      • tuple-ip-attrs

      • tuple-attrs

      • protoinfo-tcp-attrs

      • protoinfo-dccp-attrs

      • protoinfo-sctp-attrs

      • protoinfo-attrs

      • help-attrs

      • nat-proto-attrs

      • nat-attrs

      • seqadj-attrs

      • secctx-attrs

      • synproxy-attrs

      • conntrack-attrs

      • conntrack-stats-attrs

Summary¶

Netfilter connection tracking subsystem over nfnetlink

Operations¶

get¶

get / dump entries

attribute-set:

conntrack-attrs

fixed-header:

nfgenmsg

do:
request
attributes:

[tuple-orig, tuple-reply, zone]

reply
attributes:

[tuple-orig, tuple-reply, status, protoinfo, help, nat-src, nat-dst, timeout, mark, counter-orig, counter-reply, use, id, nat-dst, tuple-master, seq-adj-orig, seq-adj-reply, zone, secctx, labels, synproxy]

dump:
request
attributes:

[nfgen-family, mark, filter, status, zone]

reply
attributes:

[tuple-orig, tuple-reply, status, protoinfo, help, nat-src, nat-dst, timeout, mark, counter-orig, counter-reply, use, id, nat-dst, tuple-master, seq-adj-orig, seq-adj-reply, zone, secctx, labels, synproxy]

get-stats¶

dump pcpu conntrack stats

attribute-set:

conntrack-stats-attrs

fixed-header:

nfgenmsg

dump:

request

reply
attributes:

[searched, found, insert, insert-failed, drop, early-drop, error, search-restart, clash-resolve, chain-toolong]

Definitions¶

nfgenmsg¶

type:

struct

members:
nfgen-family (u8):

version (u8):

res-id (u16):

nf-ct-tcp-flags-mask¶

type:

struct

members:
flags (u8):

mask (u8):

nf-ct-tcp-flags¶

type:

flags

entries:

  • window-scale

  • sack-perm

  • close-init

  • be-liberal

  • unacked

  • maxack

  • challenge-ack

  • simultaneous-open

nf-ct-tcp-state¶

type:

enum

entries:

  • none

  • syn-sent

  • syn-recv

  • established

  • fin-wait

  • close-wait

  • last-ack

  • time-wait

  • close

  • syn-sent2

  • max

  • ignore

  • retrans

  • unack

  • timeout-max

nf-ct-sctp-state¶

type:

enum

entries:

  • none

  • cloned

  • cookie-wait

  • cookie-echoed

  • established

  • shutdown-sent

  • shutdown-received

  • shutdown-ack-sent

  • shutdown-heartbeat-sent

nf-ct-status¶

type:

flags

entries:

  • expected

  • seen-reply

  • assured

  • confirmed

  • src-nat

  • dst-nat

  • seq-adj

  • src-nat-done

  • dst-nat-done

  • dying

  • fixed-timeout

  • template

  • nat-clash

  • helper

  • offload

  • hw-offload

Attribute sets¶

counter-attrs¶

packets (u64)¶

byte-order:

big-endian

bytes (u64)¶

byte-order:

big-endian

packets-old (u32)¶

bytes-old (u32)¶

pad (pad)¶

tuple-proto-attrs¶

proto-num (u8)¶

doc:

l4 protocol number

proto-src-port (u16)¶

byte-order:

big-endian

doc:

l4 source port

proto-dst-port (u16)¶

byte-order:

big-endian

doc:

l4 source port

proto-icmp-id (u16)¶

byte-order:

big-endian

doc:

l4 icmp id

proto-icmp-type (u8)¶

proto-icmp-code (u8)¶

proto-icmpv6-id (u16)¶

byte-order:

big-endian

doc:

l4 icmp id

proto-icmpv6-type (u8)¶

proto-icmpv6-code (u8)¶

tuple-ip-attrs¶

ip-v4-src (u32)¶

byte-order:

big-endian

display-hint:

ipv4

doc:

ipv4 source address

ip-v4-dst (u32)¶

byte-order:

big-endian

display-hint:

ipv4

doc:

ipv4 destination address

ip-v6-src (binary)¶

byte-order:

big-endian

display-hint:

ipv6

doc:

ipv6 source address

ip-v6-dst (binary)¶

byte-order:

big-endian

display-hint:

ipv6

doc:

ipv6 destination address

tuple-attrs¶

tuple-ip (nest)¶

nested-attributes:

tuple-ip-attrs

doc:

conntrack l3 information

tuple-proto (nest)¶

nested-attributes:

tuple-proto-attrs

doc:

conntrack l4 information

tuple-zone (u16)¶

byte-order:

big-endian

doc:

conntrack zone id

protoinfo-tcp-attrs¶

tcp-state (u8)¶

enum:

nf-ct-tcp-state

doc:

tcp connection state

tcp-wscale-original (u8)¶

doc:

window scaling factor in original direction

tcp-wscale-reply (u8)¶

doc:

window scaling factor in reply direction

tcp-flags-original (binary)¶

struct:

nf-ct-tcp-flags-mask

tcp-flags-reply (binary)¶

struct:

nf-ct-tcp-flags-mask

protoinfo-dccp-attrs¶

dccp-state (u8)¶

doc:

dccp connection state

dccp-role (u8)¶

dccp-handshake-seq (u64)¶

byte-order:

big-endian

dccp-pad (pad)¶

protoinfo-sctp-attrs¶

sctp-state (u8)¶

doc:

sctp connection state

enum:

nf-ct-sctp-state

vtag-original (u32)¶

byte-order:

big-endian

vtag-reply (u32)¶

byte-order:

big-endian

protoinfo-attrs¶

protoinfo-tcp (nest)¶

nested-attributes:

protoinfo-tcp-attrs

doc:

conntrack tcp state information

protoinfo-dccp (nest)¶

nested-attributes:

protoinfo-dccp-attrs

doc:

conntrack dccp state information

protoinfo-sctp (nest)¶

nested-attributes:

protoinfo-sctp-attrs

doc:

conntrack sctp state information

help-attrs¶

help-name (string)¶

doc:

helper name

nat-proto-attrs¶

nat-port-min (u16)¶

byte-order:

big-endian

nat-port-max (u16)¶

byte-order:

big-endian

nat-attrs¶

nat-v4-minip (u32)¶

byte-order:

big-endian

nat-v4-maxip (u32)¶

byte-order:

big-endian

nat-v6-minip (binary)¶

nat-v6-maxip (binary)¶

nat-proto (nest)¶

nested-attributes:

nat-proto-attrs

seqadj-attrs¶

correction-pos (u32)¶

byte-order:

big-endian

offset-before (u32)¶

byte-order:

big-endian

offset-after (u32)¶

byte-order:

big-endian

secctx-attrs¶

secctx-name (string)¶

synproxy-attrs¶

isn (u32)¶

byte-order:

big-endian

its (u32)¶

byte-order:

big-endian

tsoff (u32)¶

byte-order:

big-endian

conntrack-attrs¶

tuple-orig (nest)¶

nested-attributes:

tuple-attrs

doc:

conntrack l3+l4 protocol information, original direction

tuple-reply (nest)¶

nested-attributes:

tuple-attrs

doc:

conntrack l3+l4 protocol information, reply direction

status (u32)¶

byte-order:

big-endian

enum:

nf-ct-status

enum-as-flags:

True

doc:

conntrack flag bits

protoinfo (nest)¶

nested-attributes:

protoinfo-attrs

help (nest)¶

nested-attributes:

help-attrs

nat-src (nest)¶

nested-attributes:

nat-attrs

timeout (u32)¶

byte-order:

big-endian

mark (u32)¶

byte-order:

big-endian

counters-orig (nest)¶

nested-attributes:

counter-attrs

counters-reply (nest)¶

nested-attributes:

counter-attrs

use (u32)¶

byte-order:

big-endian

id (u32)¶

byte-order:

big-endian

nat-dst (nest)¶

nested-attributes:

nat-attrs

tuple-master (nest)¶

nested-attributes:

tuple-attrs

seq-adj-orig (nest)¶

nested-attributes:

seqadj-attrs

seq-adj-reply (nest)¶

nested-attributes:

seqadj-attrs

secmark (binary)¶

doc:

obsolete

zone (u16)¶

byte-order:

big-endian

doc:

conntrack zone id

secctx (nest)¶

nested-attributes:

secctx-attrs

timestamp (u64)¶

byte-order:

big-endian

mark-mask (u32)¶

byte-order:

big-endian

labels (binary)¶

labels mask (binary)¶

synproxy (nest)¶

nested-attributes:

synproxy-attrs

filter (nest)¶

nested-attributes:

tuple-attrs

status-mask (u32)¶

byte-order:

big-endian

enum:

nf-ct-status

enum-as-flags:

True

doc:

conntrack flag bits to change

timestamp-event (u64)¶

byte-order:

big-endian

conntrack-stats-attrs¶

searched (u32)¶

byte-order:

big-endian

doc:

obsolete

found (u32)¶

byte-order:

big-endian

new (u32)¶

byte-order:

big-endian

doc:

obsolete

invalid (u32)¶

byte-order:

big-endian

doc:

obsolete

ignore (u32)¶

byte-order:

big-endian

doc:

obsolete

delete (u32)¶

byte-order:

big-endian

doc:

obsolete

delete-list (u32)¶

byte-order:

big-endian

doc:

obsolete

insert (u32)¶

byte-order:

big-endian

insert-failed (u32)¶

byte-order:

big-endian

drop (u32)¶

byte-order:

big-endian

early-drop (u32)¶

byte-order:

big-endian

error (u32)¶

byte-order:

big-endian

search-restart (u32)¶

byte-order:

big-endian

clash-resolve (u32)¶

byte-order:

big-endian

chain-toolong (u32)¶

byte-order:

big-endian

Previous Next

© Copyright The kernel development community.

Built with Sphinx using a theme provided by Read the Docs.