{ "mode": "man", "parameter": "tc-ct", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/tc-ct/8/json", "generated": "2026-06-02T22:31:51Z", "synopsis": "tc ... action ct commit [ force ] [ zone ZONE ] [ mark MASKEDMARK ] [ label MASKEDLABEL ] [\nnat NATSPEC ]\ntc ... action ct [ nat ] [ zone ZONE ]", "sections": { "NAME": { "content": "ct - tc connection tracking action\n", "subsections": [] }, "SYNOPSIS": { "content": "tc ... action ct commit [ force ] [ zone ZONE ] [ mark MASKEDMARK ] [ label MASKEDLABEL ] [\nnat NATSPEC ]\n\ntc ... action ct [ nat ] [ zone ZONE ]\n", "subsections": [ { "name": "tc ... action ct clear", "content": "" } ] }, "DESCRIPTION": { "content": "The ct action is a tc action for sending packets and interacting with the netfilter conntrack\nmodule.\n\nIt can (as shown in the synopsis, in order):\n\nSend the packet to conntrack, and commit the connection, while configuring a 32bit mark,\n128bit label, and src/dst nat.\n\nSend the packet to conntrack, which will mark the packet with the connection's state and con‐\nfigured metadata (mark/label), and execute previous configured nat.\n\nClear the packet's of previous connection tracking state.\n\n", "subsections": [] }, "OPTIONS": { "content": "zone ZONE\nSpecify a conntrack zone number on which to send the packet to conntrack.\n\nmark MASKEDMARK\nSpecify a masked 32bit mark to set for the connection (only valid with commit).\n\nlabel MASKEDLABEL\nSpecify a masked 128bit label to set for the connection (only valid with commit).\n\nnat NATSPEC\nWhere NATSPEC := {src|dst} addr addr1[-addr2] [port port1[-port2]]\n\nSpecify src/dst and range of nat to configure for the connection (only valid with com‐\nmit).\n\nsrc/dst - configure src or dst nat\n\naddr1/addr2 - IPv4/IPv6 addresses\n\nport1/port2 - Port numbers\n\nnat Restore any previous configured nat.\n\nclear Remove any conntrack state and metadata (mark/label) from the packet (must only option\nspecified).\n\nforce Forces conntrack direction for a previously committed connections, so that current di‐\nrection will become the original direction (only valid with commit).\n\n", "subsections": [] }, "EXAMPLES": { "content": "Example showing natted firewall in conntrack zone 2, and conntrack mark usage:\n\n#Add ingress qdisc on eth0 and eth1 interfaces\n$ tc qdisc add dev eth0 handle ingress\n$ tc qdisc add dev eth1 handle ingress\n\n#Setup filters on eth0, allowing opening new connections in zone 2, and doing src nat + mark for each new connection\n$ tc filter add dev eth0 ingress prio 1 chain 0 proto ip flower ipproto tcp ctstate -trk \\\naction ct zone 2 pipe action goto chain 2\n$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ctstate +trk+new \\\naction ct zone 2 commit mark 0xbb nat src addr 5.5.5.7 pipe action mirred egress redirect dev eth1\n$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ctzone 2 ctmark 0xbb ctstate +trk+est \\\naction ct nat pipe action mirred egress redirect dev eth1\n\n#Setup filters on eth1, allowing only established connections of zone 2 through, and reverse nat (dst nat in this case)\n$ tc filter add dev eth1 ingress prio 1 chain 0 proto ip flower ipproto tcp ctstate -trk \\\naction ct zone 2 pipe action goto chain 1\n$ tc filter add dev eth1 ingress prio 1 chain 1 proto ip flower ctzone 2 ctmark 0xbb ctstate +trk+est \\\naction ct nat pipe action mirred egress redirect dev eth0\n\n\n", "subsections": [] }, "SEE ALSO": { "content": "tc(8), tc-flower(8) tc-mirred(8)\n", "subsections": [] }, "AUTHORS": { "content": "Paul Blakey \n\nMarcelo Ricardo Leitner \n\nYossi Kuperman \n\n\n\niproute2 14 May 2020 ct action in tc(8)", "subsections": [] } }, "summary": "ct - tc connection tracking action", "flags": [], "examples": [ "Example showing natted firewall in conntrack zone 2, and conntrack mark usage:", "#Add ingress qdisc on eth0 and eth1 interfaces", "$ tc qdisc add dev eth0 handle ingress", "$ tc qdisc add dev eth1 handle ingress", "#Setup filters on eth0, allowing opening new connections in zone 2, and doing src nat + mark for each new connection", "$ tc filter add dev eth0 ingress prio 1 chain 0 proto ip flower ipproto tcp ctstate -trk \\", "action ct zone 2 pipe action goto chain 2", "$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ctstate +trk+new \\", "action ct zone 2 commit mark 0xbb nat src addr 5.5.5.7 pipe action mirred egress redirect dev eth1", "$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ctzone 2 ctmark 0xbb ctstate +trk+est \\", "action ct nat pipe action mirred egress redirect dev eth1", "#Setup filters on eth1, allowing only established connections of zone 2 through, and reverse nat (dst nat in this case)", "$ tc filter add dev eth1 ingress prio 1 chain 0 proto ip flower ipproto tcp ctstate -trk \\", "action ct zone 2 pipe action goto chain 1", "$ tc filter add dev eth1 ingress prio 1 chain 1 proto ip flower ctzone 2 ctmark 0xbb ctstate +trk+est \\", "action ct nat pipe action mirred egress redirect dev eth0" ], "see_also": [ { "name": "tc", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/tc/8/json" }, { "name": "tc-flower", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/tc-flower/8/json" }, { "name": "tc-mirred", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/tc-mirred/8/json" } ] }