{"id":2816,"date":"2022-12-20T15:17:23","date_gmt":"2022-12-20T18:17:23","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/ct-action-in-tc-man8\/"},"modified":"2022-12-20T15:17:23","modified_gmt":"2022-12-20T18:17:23","slug":"ct-action-in-tc-man8","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/ct-action-in-tc-man8\/","title":{"rendered":"ct action in tc (man8)"},"content":{"rendered":"

ct action in tc<\/h1>\n

NAME<\/a>
SYNOPSIS<\/a>
DESCRIPTION<\/a>
OPTIONS<\/a>
EXAMPLES<\/a>
SEE ALSO<\/a>
AUTHORS<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

ct \u2212 tc connection tracking action<\/p>\n

SYNOPSIS <\/a> <\/h2>\n

tc … action ct commit [ force ] [ zone<\/b> ZONE<\/i> ] [ mark<\/b> MASKED_MARK<\/i> ] [ label<\/b> MASKED_LABEL<\/i> ] [ nat<\/b> NAT_SPEC<\/i> ]<\/b><\/p>\n

tc … action ct [ nat ] [ zone<\/b> ZONE<\/i> ]<\/b><\/p>\n

tc … action ct clear<\/b><\/p>\n

DESCRIPTION <\/a> <\/h2>\n

The ct action is a tc action for sending packets and interacting with the netfilter conntrack module.<\/p>\n

It can (as shown in the synopsis, in order):<\/p>\n

Send the packet to conntrack, and commit the connection, while configuring a 32bit mark, 128bit label, and src\/dst nat.<\/p>\n

Send the packet to conntrack, which will mark the packet with the connection\u2019s state and configured metadata (mark\/label), and execute previous configured nat.<\/p>\n

Clear the packet\u2019s of previous connection tracking state.<\/p>\n

OPTIONS <\/a> <\/h2>\n

zone<\/b> ZONE<\/i><\/p>\n

Specify a conntrack zone number on which to send the packet to conntrack.<\/p>\n

mark<\/b> MASKED_MARK<\/i><\/p>\n

Specify a masked 32bit mark to set for the connection (only valid with commit).<\/p>\n

label<\/b> MASKED_LABEL<\/i><\/p>\n

Specify a masked 128bit label to set for the connection (only valid with commit).<\/p>\n

nat<\/b> NAT_SPEC<\/i><\/p>\n

Where<\/b> NAT_SPEC<\/i> := {src|dst} addr<\/b> addr1<\/i>[-<\/b>addr2<\/i>] [port<\/b> port1<\/i>[-<\/b>port2<\/i>]]<\/b><\/p>\n

Specify src\/dst and range of nat to configure for the connection (only valid with commit).
src\/dst – configure src or dst nat
addr1<\/i>\/<\/b>addr2<\/i> – IPv4\/IPv6 addresses<\/b>
port1<\/i>\/<\/b>port2<\/i> – Port numbers<\/b><\/p>\n\n\n\n\n
<\/td>\n\n

nat<\/b><\/p>\n<\/td>\n

<\/td>\n\n

Restore any previous configured nat.<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

clear<\/b><\/p>\n<\/td>\n

<\/td>\n\n

Remove any conntrack state and metadata (mark\/label) from the packet (must only option specified).<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

force<\/b><\/p>\n<\/td>\n

<\/td>\n\n

Forces conntrack direction for a previously committed connections, so that current direction will become the original direction (only valid with commit).<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

EXAMPLES <\/a> <\/h2>\n

Example showing natted firewall in conntrack zone 2, and conntrack mark usage:<\/p>\n

#Add ingress qdisc on eth0 and eth1 interfaces
$ tc qdisc add dev eth0 handle ingress
$ tc qdisc add dev eth1 handle ingress<\/p>\n

#Setup filters on eth0, allowing opening new connections in zone 2, and doing src nat + mark for each new connection
$ tc filter add dev eth0 ingress prio 1 chain 0 proto ip flower ip_proto tcp ct_state -trk
action ct zone 2 pipe action goto chain 2
$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ct_state +trk+new
action ct zone 2 commit mark 0xbb nat src addr 5.5.5.7 pipe action mirred egress redirect dev eth1
$ tc filter add dev eth0 ingress prio 1 chain 2 proto ip flower ct_zone 2 ct_mark 0xbb ct_state +trk+est
action ct nat pipe action mirred egress redirect dev eth1<\/p>\n

#Setup filters on eth1, allowing only established connections of zone 2 through, and reverse nat (dst nat in this case)
$ tc filter add dev eth1 ingress prio 1 chain 0 proto ip flower ip_proto tcp ct_state -trk
action ct zone 2 pipe action goto chain 1
$ tc filter add dev eth1 ingress prio 1 chain 1 proto ip flower ct_zone 2 ct_mark 0xbb ct_state +trk+est
action ct nat pipe action mirred egress redirect dev eth0<\/p>\n

SEE ALSO <\/a> <\/h2>\n

tc<\/b>(8), tc-flower<\/b>(8) tc-mirred<\/b>(8)<\/p>\n

AUTHORS <\/a> <\/h2>\n

Paul Blakey <\/p>\n

Marcelo Ricardo Leitner <\/p>\n

Yossi Kuperman <\/p>\n

\n","protected":false},"excerpt":{"rendered":"

ct \u2212 tc connection tracking action <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[5,52,4,168],"class_list":["post-2816","post","type-post","status-publish","format-standard","hentry","category-8-administracion-del-sistema","tag-5","tag-administracion","tag-man8","tag-tc-ct"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/2816","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=2816"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/2816\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=2816"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=2816"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=2816"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}