clarification on the use of --state parameter within conntrack command

clarification on the use of --state parameter within conntrack command

[Alexis Salinas]

Hi All,
Could someone help me understand the correct use of the protocol filter parameter "--state". I figure it would be something like this " conntrack -L -p TCP --state ESTABLISHED" but 2 different versions of conntrack-tools give the same error (conntrack v1.2.1 (conntrack-tools): unknown option `--state'
Try `conntrack -h' or 'conntrack --help' for more information.)

Is ts a deprecated parameter? What I'm trying to do is to selectively delete entries that are in a particular state. For instance TCP SYN_SENT, or UDP UNREPLIED.

Thanks,
Alexis.

Re: clarification on the use of --state parameter within conntrack command

[Phil Oester]

On Fri, Sep 13, 2013 at 05:00:17PM +0000, Alexis Salinas wrote:
> Hi All,
> Could someone help me understand the correct use of the protocol filter parameter "--state". I figure it would be something like this " conntrack -L -p TCP --state ESTABLISHED" but 2 different versions of conntrack-tools give the same error (conntrack v1.2.1 (conntrack-tools): unknown option `--state'
> Try `conntrack -h' or 'conntrack --help' for more information.)

Don't capitalize the protocol.

    conntrack -L -p tcp --state SYN_SENT

Phil

RE: clarification on the use of --state parameter within conntrack command

[Alexis Salinas]

Thanks Phil, that works.
And to your knowledge is there a way to do something similar with UDP. Like to filter the entries in UNREPLIED state?

Alexis.
________________________________________
From: Phil Oester [kernel@linuxace.com]
Sent: September 13, 2013 10:45
To: Alexis Salinas
Cc: netfilter@vger.kernel.org
Subject: Re: clarification on the use of --state parameter within  conntrack command

On Fri, Sep 13, 2013 at 05:00:17PM +0000, Alexis Salinas wrote:
> Hi All,
> Could someone help me understand the correct use of the protocol filter parameter "--state". I figure it would be something like this " conntrack -L -p TCP --state ESTABLISHED" but 2 different versions of conntrack-tools give the same error (conntrack v1.2.1 (conntrack-tools): unknown option `--state'
> Try `conntrack -h' or 'conntrack --help' for more information.)

Don't capitalize the protocol.

    conntrack -L -p tcp --state SYN_SENT

Phil

Re: clarification on the use of --state parameter within conntrack command

[Greg Folkert]

On Fri, 2013-09-13 at 17:55 +0000, Alexis Salinas wrote:
> Thanks Phil, that works.
> And to your knowledge is there a way to do something similar with UDP.
> Like to filter the entries in UNREPLIED state?

Isn't that kind of the point of UDP? Wouldn't that be breaking it?

IIRC, UDP, was designed to communicate without having to setup a session
or other control/handshaking dialogues. I mean it is a "best effort"
protocol, with "time sensitive" payload, right? Also used as a fire and
forget protocol, also know as streaming,.. right?

Or am I missing something?
-- 
greg folkert - systems administration and support
web:    donor.com
email:  greg@donor.com
phone:  877-751-3300 x416
direct: 616-328-6449 (direct dial and fax)
"Our actions are the results of our intentions and our intelligence."
    -- E. Stanley Jones

RE: clarification on the use of --state parameter within conntrack command

[Alexis Salinas]

"Isn't that kind of the point of UDP? Wouldn't that be breaking it?"

Perhaps to clarify, I would like to be able to filter by the UNREPLIED flag, when I list or delete entries from the table. That's why I was exploring the --state filter, but that only seems to work for TCP. I think using the UNREPLIED flag is a better option as it is displayed for UDP, TCP, and ICMP.

Cheers,  
Alexis.

Re: clarification on the use of --state parameter within conntrack command

[Phil Oester]

On Fri, Sep 13, 2013 at 05:55:09PM +0000, Alexis Salinas wrote:
> Thanks Phil, that works.
> And to your knowledge is there a way to do something similar with UDP. Like to filter the entries in UNREPLIED state?

No, there does not appear to be.

Phil