ct action in tc - Online Linux Manual Page

Section : 8
Updated : 14 May 2020
Source : iproute2
Note : Linux
NAMEct − tc connection tracking action
SYNOPSIStc ... action ct commit [ force ] [ zone ZONE ] [ mark MASKED_MARK ] [ label MASKED_LABEL ] [ nat NAT_SPEC ] tc ... action ct [ nat ] [ zone ZONE ] tc ... action ct clear
DESCRIPTIONThe ct action is a tc action for sending packets and interacting with the netfilter conntrack module. It can (as shown in the synopsis, in order): Send the packet to conntrack, and commit the connection, while configuring a 32bit mark, 128bit label, and src/dst nat. Send the packet to conntrack, which will mark the packet with the connection's state and configured metadata (mark/label), and execute previous configured nat. Clear the packet's of previous connection tracking state.
OPTIONSzone ZONE  Specify a conntrack zone number on which to send the packet to conntrack. mark MASKED_MARK  Specify a masked 32bit mark to set for the connection (only valid with commit). label MASKED_LABEL  Specify a masked 128bit label to set for the connection (only valid with commit). nat NAT_SPEC  Where NAT_SPEC := {src|dst} addr addr1[-addr2] [port port1[-port2]] Specify src/dst and range of nat to configure for the connection (only valid with commit). src/dst - configure src or dst nat   addr1/addr2 - IPv4/IPv6 addresses   port1/port2 - Port numbers  nat  Restore any previous configured nat. clear  Remove any conntrack state and metadata (mark/label) from the packet (must only option specified). force  Forces conntrack direction for a previously committed connections, so that current direction will become the original direction (only valid with commit).
EXAMPLESExample showing natted firewall in conntrack zone 2, and conntrack mark usage: #Add ingress qdisc on eth0 and eth1 interfaces $ tc qdisc add dev eth0 ingress $ tc qdisc add dev eth1 ingress #Setup filters on eth0, allowing opening new connections in zone 2, and doing src nat + mark for each new connection $ tc filter add dev eth0 ingress prio 1 chain 0 proto ip flower ip_proto tcp ct_state -trk action ct zone 2 pipe action goto chain 2 $ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ct_state +trk+new action ct zone 2 commit mark 0xbb nat src addr 5.5.5.7 pipe action mirred egress redirect dev eth1 $ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ct_zone 2 ct_mark 0xbb ct_state +trk+est action ct nat pipe action mirred egress redirect dev eth1 #Setup filters on eth1, allowing only established connections of zone 2 through, and reverse nat (dst nat in this case) $ tc filter add dev eth1 ingress prio 1 chain 0 proto ip flower ip_proto tcp ct_state -trk action ct zone 2 pipe action goto chain 1 $ tc filter add dev eth1 ingress prio 1 chain 1 proto ip flower ct_zone 2 ct_mark 0xbb ct_state +trk+est action ct nat pipe action mirred egress redirect dev eth0
SEE ALSOtc(8), tc-flower(8) tc-mirred(8)
AUTHORSPaul Blakey <paulb@mellanox.com> Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Yossi Kuperman <yossiku@mellanox.com> 0
Johanes Gumabo
Data Size   :   10,596 byte
man-tc-ct.8Build   :   2025-03-22, 13:26   :  
Visitor Screen   :   x
Visitor Counter ( page / site )   :   2 / 1,208,974
Visitor ID   :     :  
Visitor IP   :   3.144.38.118   :  
Visitor Provider   :   AMAZON-02   :  
Provider Position ( lat x lon )   :   39.962500 x -83.006100   :   x
Provider Accuracy Radius ( km )   :   1000   :  
Provider City   :   Columbus   :  
Provider Province   :   Ohio ,   :   ,
Provider Country   :   United States   :  
Provider Continent   :   North America   :  
Visitor Recorder   :   Version   :  
Visitor Recorder   :   Library   :  
Online Linux Manual Page   :   Version   :   Online Linux Manual Page - Fedora.40 - march=x86-64 - mtune=generic - 25.03.22
Online Linux Manual Page   :   Library   :   lib_c - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Online Linux Manual Page   :   Library   :   lib_m - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Data Base   :   Version   :   Online Linux Manual Page Database - 24.04.13 - march=x86-64 - mtune=generic - fedora-38
Data Base   :   Library   :   lib_c - 23.02.07 - march=x86-64 - mtune=generic - fedora.36
Very long time ago, I have the best tutor, Wenzel Svojanovsky. If someone knows the email address of Wenzel Svojanovsky, please send an email to johanesgumabo@gmail.com.
Help me, linux0001.com will expire on July 16, 2025. I have no money to renew it. View detail
If error, please print screen and send to johanes_gumabo@yahoo.co.id
Under development. Support me via PayPal.