{ "content": [ { "type": "text", "text": "# tc-ct(8) (man)\n\n**Summary:** ct - tc connection tracking action\n\n**Synopsis:** tc ... action ct commit [ force ] [ zone ZONE ] [ mark MASKEDMARK ] [ label MASKEDLABEL ] [\nnat NATSPEC ]\ntc ... action ct [ nat ] [ zone ZONE ]\n\n## Examples\n\n- `Example showing natted firewall in conntrack zone 2, and conntrack mark usage:`\n- `#Add ingress qdisc on eth0 and eth1 interfaces`\n- `$ tc qdisc add dev eth0 handle ingress`\n- `$ tc qdisc add dev eth1 handle ingress`\n- `#Setup filters on eth0, allowing opening new connections in zone 2, and doing src nat + mark for each new connection`\n- `$ tc filter add dev eth0 ingress prio 1 chain 0 proto ip flower ipproto tcp ctstate -trk \\`\n- `action ct zone 2 pipe action goto chain 2`\n- `$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ctstate +trk+new \\`\n- `action ct zone 2 commit mark 0xbb nat src addr 5.5.5.7 pipe action mirred egress redirect dev eth1`\n- `$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ctzone 2 ctmark 0xbb ctstate +trk+est \\`\n- `action ct nat pipe action mirred egress redirect dev eth1`\n- `#Setup filters on eth1, allowing only established connections of zone 2 through, and reverse nat (dst nat in this case)`\n- `$ tc filter add dev eth1 ingress prio 1 chain 0 proto ip flower ipproto tcp ctstate -trk \\`\n- `action ct zone 2 pipe action goto chain 1`\n- `$ tc filter add dev eth1 ingress prio 1 chain 1 proto ip flower ctzone 2 ctmark 0xbb ctstate +trk+est \\`\n- `action ct nat pipe action mirred egress redirect dev eth0`\n\n## See Also\n\n- tc(8)\n- tc-flower(8)\n- tc-mirred(8)\n\n## Section Outline\n\n- **NAME** (2 lines)\n- **SYNOPSIS** (5 lines) — 1 subsections\n - tc ... action ct clear (1 lines)\n- **DESCRIPTION** (14 lines)\n- **OPTIONS** (30 lines)\n- **EXAMPLES** (22 lines)\n- **SEE ALSO** (2 lines)\n- **AUTHORS** (9 lines)\n\n## Full Content\n\n### NAME\n\nct - tc connection tracking action\n\n### SYNOPSIS\n\ntc ... action ct commit [ force ] [ zone ZONE ] [ mark MASKEDMARK ] [ label MASKEDLABEL ] [\nnat NATSPEC ]\n\ntc ... action ct [ nat ] [ zone ZONE ]\n\n#### tc ... action ct clear\n\n### DESCRIPTION\n\nThe ct action is a tc action for sending packets and interacting with the netfilter conntrack\nmodule.\n\nIt can (as shown in the synopsis, in order):\n\nSend the packet to conntrack, and commit the connection, while configuring a 32bit mark,\n128bit label, and src/dst nat.\n\nSend the packet to conntrack, which will mark the packet with the connection's state and con‐\nfigured metadata (mark/label), and execute previous configured nat.\n\nClear the packet's of previous connection tracking state.\n\n### OPTIONS\n\nzone ZONE\nSpecify a conntrack zone number on which to send the packet to conntrack.\n\nmark MASKEDMARK\nSpecify a masked 32bit mark to set for the connection (only valid with commit).\n\nlabel MASKEDLABEL\nSpecify a masked 128bit label to set for the connection (only valid with commit).\n\nnat NATSPEC\nWhere NATSPEC := {src|dst} addr addr1[-addr2] [port port1[-port2]]\n\nSpecify src/dst and range of nat to configure for the connection (only valid with com‐\nmit).\n\nsrc/dst - configure src or dst nat\n\naddr1/addr2 - IPv4/IPv6 addresses\n\nport1/port2 - Port numbers\n\nnat Restore any previous configured nat.\n\nclear Remove any conntrack state and metadata (mark/label) from the packet (must only option\nspecified).\n\nforce Forces conntrack direction for a previously committed connections, so that current di‐\nrection will become the original direction (only valid with commit).\n\n### EXAMPLES\n\nExample showing natted firewall in conntrack zone 2, and conntrack mark usage:\n\n#Add ingress qdisc on eth0 and eth1 interfaces\n$ tc qdisc add dev eth0 handle ingress\n$ tc qdisc add dev eth1 handle ingress\n\n#Setup filters on eth0, allowing opening new connections in zone 2, and doing src nat + mark for each new connection\n$ tc filter add dev eth0 ingress prio 1 chain 0 proto ip flower ipproto tcp ctstate -trk \\\naction ct zone 2 pipe action goto chain 2\n$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ctstate +trk+new \\\naction ct zone 2 commit mark 0xbb nat src addr 5.5.5.7 pipe action mirred egress redirect dev eth1\n$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ctzone 2 ctmark 0xbb ctstate +trk+est \\\naction ct nat pipe action mirred egress redirect dev eth1\n\n#Setup filters on eth1, allowing only established connections of zone 2 through, and reverse nat (dst nat in this case)\n$ tc filter add dev eth1 ingress prio 1 chain 0 proto ip flower ipproto tcp ctstate -trk \\\naction ct zone 2 pipe action goto chain 1\n$ tc filter add dev eth1 ingress prio 1 chain 1 proto ip flower ctzone 2 ctmark 0xbb ctstate +trk+est \\\naction ct nat pipe action mirred egress redirect dev eth0\n\n### SEE ALSO\n\ntc(8), tc-flower(8) tc-mirred(8)\n\n### AUTHORS\n\nPaul Blakey \n\nMarcelo Ricardo Leitner \n\nYossi Kuperman \n\n\n\niproute2 14 May 2020 ct action in tc(8)\n\n" } ], "structuredContent": { "command": "tc-ct", "section": "8", "mode": "man", "summary": "ct - tc connection tracking action", "synopsis": "tc ... action ct commit [ force ] [ zone ZONE ] [ mark MASKEDMARK ] [ label MASKEDLABEL ] [\nnat NATSPEC ]\ntc ... action ct [ nat ] [ zone ZONE ]", "tldr_summary": null, "tldr_examples": [], "tldr_source": null, "flags": [], "examples": [ "Example showing natted firewall in conntrack zone 2, and conntrack mark usage:", "#Add ingress qdisc on eth0 and eth1 interfaces", "$ tc qdisc add dev eth0 handle ingress", "$ tc qdisc add dev eth1 handle ingress", "#Setup filters on eth0, allowing opening new connections in zone 2, and doing src nat + mark for each new connection", "$ tc filter add dev eth0 ingress prio 1 chain 0 proto ip flower ipproto tcp ctstate -trk \\", "action ct zone 2 pipe action goto chain 2", "$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ctstate +trk+new \\", "action ct zone 2 commit mark 0xbb nat src addr 5.5.5.7 pipe action mirred egress redirect dev eth1", "$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ctzone 2 ctmark 0xbb ctstate +trk+est \\", "action ct nat pipe action mirred egress redirect dev eth1", "#Setup filters on eth1, allowing only established connections of zone 2 through, and reverse nat (dst nat in this case)", "$ tc filter add dev eth1 ingress prio 1 chain 0 proto ip flower ipproto tcp ctstate -trk \\", "action ct zone 2 pipe action goto chain 1", "$ tc filter add dev eth1 ingress prio 1 chain 1 proto ip flower ctzone 2 ctmark 0xbb ctstate +trk+est \\", "action ct nat pipe action mirred egress redirect dev eth0" ], "see_also": [ { "name": "tc", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/tc/8/json" }, { "name": "tc-flower", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/tc-flower/8/json" }, { "name": "tc-mirred", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/tc-mirred/8/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 5, "subsections": [ { "name": "tc ... action ct clear", "lines": 1 } ] }, { "name": "DESCRIPTION", "lines": 14, "subsections": [] }, { "name": "OPTIONS", "lines": 30, "subsections": [] }, { "name": "EXAMPLES", "lines": 22, "subsections": [] }, { "name": "SEE ALSO", "lines": 2, "subsections": [] }, { "name": "AUTHORS", "lines": 9, "subsections": [] } ] } }