diff options
Diffstat (limited to 'man/man8/tc-ct.8')
| -rw-r--r-- | man/man8/tc-ct.8 | 107 |
1 files changed, 107 insertions, 0 deletions
diff --git a/man/man8/tc-ct.8 b/man/man8/tc-ct.8 new file mode 100644 index 0000000..2fb81ca --- /dev/null +++ b/man/man8/tc-ct.8 @@ -0,0 +1,107 @@ +.TH "ct action in tc" 8 "14 May 2020" "iproute2" "Linux" +.SH NAME +ct \- tc connection tracking action +.SH SYNOPSIS +.in +8 +.ti -8 +.BR "tc ... action ct commit [ force ] [ zone " +.IR ZONE +.BR "] [ mark " +.IR MASKED_MARK +.BR "] [ label " +.IR MASKED_LABEL +.BR "] [ nat " +.IR NAT_SPEC +.BR "]" + +.ti -8 +.BR "tc ... action ct [ nat ] [ zone " +.IR ZONE +.BR "]" + +.ti -8 +.BR "tc ... action ct clear" + +.SH DESCRIPTION +The ct action is a tc action for sending packets and interacting with the netfilter conntrack module. + +It can (as shown in the synopsis, in order): + +Send the packet to conntrack, and commit the connection, while configuring +a 32bit mark, 128bit label, and src/dst nat. + +Send the packet to conntrack, which will mark the packet with the connection's state and +configured metadata (mark/label), and execute previous configured nat. + +Clear the packet's of previous connection tracking state. + +.SH OPTIONS +.TP +.BI zone " ZONE" +Specify a conntrack zone number on which to send the packet to conntrack. +.TP +.BI mark " MASKED_MARK" +Specify a masked 32bit mark to set for the connection (only valid with commit). +.TP +.BI label " MASKED_LABEL" +Specify a masked 128bit label to set for the connection (only valid with commit). +.TP +.BI nat " NAT_SPEC" +.BI Where " NAT_SPEC " ":= {src|dst} addr" " addr1" "[-" "addr2" "] [port " "port1" "[-" "port2" "]]" + +Specify src/dst and range of nat to configure for the connection (only valid with commit). +.RS +.TP +src/dst - configure src or dst nat +.TP +.BI "" "addr1" "/" "addr2" " - IPv4/IPv6 addresses" +.TP +.BI "" "port1" "/" "port2" " - Port numbers" +.RE +.TP +.BI nat +Restore any previous configured nat. +.TP +.BI clear +Remove any conntrack state and metadata (mark/label) from the packet (must only option specified). +.TP +.BI force +Forces conntrack direction for a previously committed connections, so that current direction will become the original direction (only valid with commit). + +.SH EXAMPLES +Example showing natted firewall in conntrack zone 2, and conntrack mark usage: +.EX + +#Add ingress qdisc on eth0 and eth1 interfaces +.nf +$ tc qdisc add dev eth0 ingress +$ tc qdisc add dev eth1 ingress + +#Setup filters on eth0, allowing opening new connections in zone 2, and doing src nat + mark for each new connection +$ tc filter add dev eth0 ingress prio 1 chain 0 proto ip flower ip_proto tcp ct_state -trk \\ +action ct zone 2 pipe action goto chain 2 +$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ct_state +trk+new \\ +action ct zone 2 commit mark 0xbb nat src addr 5.5.5.7 pipe action mirred egress redirect dev eth1 +$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ct_zone 2 ct_mark 0xbb ct_state +trk+est \\ +action ct nat pipe action mirred egress redirect dev eth1 + +#Setup filters on eth1, allowing only established connections of zone 2 through, and reverse nat (dst nat in this case) +$ tc filter add dev eth1 ingress prio 1 chain 0 proto ip flower ip_proto tcp ct_state -trk \\ +action ct zone 2 pipe action goto chain 1 +$ tc filter add dev eth1 ingress prio 1 chain 1 proto ip flower ct_zone 2 ct_mark 0xbb ct_state +trk+est \\ +action ct nat pipe action mirred egress redirect dev eth0 +.fi + +.EE + +.RE +.SH SEE ALSO +.BR tc (8), +.BR tc-flower (8) +.BR tc-mirred (8) +.SH AUTHORS +Paul Blakey <paulb@mellanox.com> + +Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> + +Yossi Kuperman <yossiku@mellanox.com> |