Vyatta
Suite200
1301ShorewayRoad
Belmont,CA94002
vyatta.com
6504137200
1888VYATTA1(USandCanada)
VYATTA,INC. |  VyattaSystem
ConnectionManagement
REFERENCEGUIDE
ConnectionTracking
FlowAccounting
COPYRIGHT
Copyright©2005–2012Vyatta,Inc.Allrightsreserved.
Vyattareservestherighttomakechangestosoftware,hardware,anddocumentationwithoutnotice.Forthemostrecentversionof
documentation,visittheVyattawebsiteatvyatta.com.
PROPRIETARYNOTICES
VyattaisaregisteredtrademarkofVyatta,Inc.
Hyper‐VisaregisteredtrademarkofMicrosoftCorporation.
VMware,VMwareESX,andVMwareserveraretrademarksofVMware,Inc.
XenServer,andXenCenteraretrademarksofCitrixSystems,Inc.
Allothertrademarksarethepropertyoftheirrespectiveowners.
RELEASEDATE:October2012
DOCUMENTREVISION.6.5R1
v01
RELEASEDWITH:6.5.0R1
PARTNO.A0‐0245‐10‐0004
iii
ConnectionManagement 6.5R1v01 Vyatta
Contents
QuickListofCommands......................................................... v

ListofExamples ............................................................... vii
Preface. ....................................................................viii
IntendedAudience ............... ................................................................ix
OrganizationofThisGuide .................
.................................... ................. .. .ix
DocumentConventions ..........................................
.................................ix
VyattaPublicati ons...............
............... ................... ...............................x
Chapter1ConnectionTracking................................................... 1
ConnectionTrackingOverview............................. .........................................2
Logging............................
................................. .................... ....2
ConnectionTrackingTableComponents ........................................
............... ...3
TheConnectionTrackingTable ..................... ........
.................................3
TheConnectionTrackingHashTable............
............... ................... ...........3
TheConnectionTrackingExpectTable.
............... ........................................3
TheConnectionTrackingExpectHashTable................................... .....
...........4
TuningConnectionTracking... ................... ..............
................................4
SettingTime‐OutsforConnections .. ...........
................................. ................5
Connection
TrackingCommands.............................. ......................................6
deleteconntracktable............................

............... ................... ...........8
resetconntrack ...
............... ................... ................. .......................11
showconntracktable ........................
................................. ...............12
systemconntrack
expect‐table‐size<size>....................................... ................15
systemconntrackhash‐size<size> ................................. ....
............... ..........17
systemconntracklogicmp.....................
............... ................... .............19
systemconntracklog
other....................................... .. ................. ..........21
systemconntracklogtcp..............................
................................. .......23
systemconntracklogudp .......
................................. .............................26
systemconntrackmodulesftp.. ................................
............... ................28
systemconntrackmodulesgre................
............... ................... ...............29
system
conntrackmodulesh323.......................... .....................................31
systemconntrackmodulesnfs ................................
................................. 33
systemconntrackmodulespptp ....... ......
..................................................35
systemconntrackmodulessip...... ................... ................... ..
...................37
systemconntrackmodulessqlnet ................... ........

...................................39

iv
ConnectionManagement 6.5R1v01 Vyatta
systemconntrackmodulestftp ................................................................41
systemconntracktable‐size<size> ........... .................
................................. 43
systemconntracktcploose<state>.............
................................. ...............45
systemconntrack
timeoutcustom ........... ................... ................................47
systemconntracktimeouticmp ..................................
............... ...............51
systemconntracktimeoutother ................
............... ................... .............53
systemconntracktimeout
tcp .................................... .............................55
systemconntracktimeoutudp............ ....................
................................. 57
Chapter2FlowAccounting ..................................................... 59
FlowAccountingConfiguration .................... ................... .............................60
FlowAccountingOverview...........................
................................. ........60
ConfiguringanInterfaceforFlowAccounting....
................................. ................60
Displaying
FlowAccountingInformation .........................................................61
ExportingFlowAccountinginformation ......................... ............
............... .....62
FlowAccountingCommands .............. .............

...........................................63
clearflow‐accountingcounters ...
................................ .. ................. ..........65
restartflow‐accounting ......................................
................................. 66
showflow‐accounting..............
..........................................................67
showflow‐accountinginterface<interface>......................................
................68
systemflow‐accountinginterface<interface> .............................
............... ........69
systemflow‐accountingnetflowengine‐id<id> .....................
............... ...............71
systemflow‐accountingnetflowsampling‐rate<rate> .............
................................72
systemflow‐accountingnetflowserver<ipv4>.............
............... ................... .....74
systemflow‐accountingnetflowtimeoutexpiry‐interval<interval> ...
............... ................76
systemflow‐accountingnetflowtimeoutflow‐generic<timeout> ............
........................78
systemflow‐accountingnetflowtimeouticmp<timeout> .. .................
............... ........80
systemflow‐accountingnetflowtimeoutmax‐active‐life<life> ......... ..........
...................82
systemflow‐accountingnetflowtimeouttcp‐fin<timeout> .................... ....
............... ..84
systemflow‐accountingnetflowtimeouttcp‐generic<timeout> .................. ........
...........86
systemflow‐accountingnetflowtimeouttcp‐rst<timeout> ................................

.........88
systemflow‐accountingnetflowtimeoutudp<timeout>..................................
.........90
systemflow‐accountingnetflowversion<version>. ..................................
.............92
systemflow‐accountingsflowagent‐address<addr> ......................... .....
................94
systemflow‐accountingsflowsampling‐rate<rate> ...........................
............... .....96
systemflow‐accountingsflowserver<ipv4>......................... 
.............................98
systemflow‐accountingsyslog‐facility<facility> ...............
..................................100
GlossaryofAcronyms......................................................... 102
v
ConnectionManagement 6.5R1v01 Vyatta
QuickListofCommands
Use this list to help you quickly locate commands.
clearflow‐accountingcounters............................. .................... ................ ...65
deleteconntracktable ..........................
................................. .................8
resetconntrack.......................... .. ....................
............... ..................11
restartflow‐accounting.... ...........
............... ................... ..........................66
showconntracktable......................................
......................................12
showflow‐accountinginterface<interface> .......
..................................................68
showflow‐accounting............. ...................................

............... .............67
systemconntrackexpect‐table‐size<size> .................
............... ................... ........15
systemconntrackhash‐size<size> ...
............... ...............................................17
systemconntracklogicmp ................. .. .................
................................. ...19
systemconntracklogother ..........
.............................................................21
systemconntracklogtcp ...................................
............... .......................23
systemconntracklogudp.........
................................................................26
systemconntrackmodulesftp ..................................
...................................28
systemconntrackmodulesgre ...........
................................. ........................29
systemconntrackmodulesh323 ...................... ..................
...........................31
systemconntrackmodulesnfs....................
............... ................... ...............33
system
conntrackmodulespptp ...... ................... ..........................................35
systemconntrackmodulessip ............................
................................. ........37
systemconntrackmodulessqlnet.....
.............................................................39
systemconntrackmodulestftp.......................... .. .......
............... ..................41
systemconntracktable‐size<size>............

................................ .. ................. ..43
systemconntracktcploose<state>.......................... ..................
.....................45
systemconntracktimeoutcustom .........................
................................. .......47
systemconntracktimeouticmp.......
.............................................................51
systemconntracktimeoutother......... ..........................
................................53
systemconntracktimeouttcp..............
............... ................... .....................55
systemconntracktimeoutudp ................................. .........
..........................57
systemflow‐accountinginterface<interface>...................
.....................................69
systemflow‐accountingnetflowengine‐id<id>.......
................................. ...............71
systemflow
‐accountingnetflowsampling‐rate<rate>................. ................................72
systemflow‐accountingnetflowserver<ipv4> ........................................
............... 74

vi
ConnectionManagement 6.5R1v01 Vyatta
systemflow‐accountingnetflowtimeoutexpiry‐interval<interval>.................................... ..76
systemflow‐accountingnetflow
timeoutflow‐generic<timeout>........ ................................78
systemflow‐accountingnetflowtimeouticmp<timeout>
............... ...............................80
systemflow‐accountingnetflow

timeoutmax‐active‐life<life> ............................. .............82
systemflow‐accountingnetflow
timeouttcp‐fin<timeout>........................... ..................84
systemflow‐
accountingnetflowtimeouttcp‐generic<timeout>.......................... ...............86
systemflow‐accountingnetflow
timeouttcp‐rst<timeout>.................................. ...........88
systemflow‐
accountingnetflowtimeoutudp<timeout> ...............................................90
systemflow‐accountingnetflowversion<version> .............................................
.......92
systemflow‐accountingsflowagent‐address<addr> ....................................
..............94
systemflow‐accountingsflowsampling‐rate<rate>.............................
......................96
systemflow‐accountingsflowserver<ipv4> .................. ....
................................. ..98
systemflow‐accountingsyslog‐facility<facility> ... ......
............................................100
vii
ConnectionManagement 6.5R1v01 Vyatta
ListofExamples
Use this list to help you locate examples you’d like to look at or try.
Example1‐1“deleteconntracktableipv4”sampleoutput....... .. ....................................10
Example1‐2“showconntracktableipv4”sampleoutput... ................... ...................
.....13
Example1‐4SampleconntracklogmessagesfortheICMPprotocol....................... .............
.20
Example1‐5Sampleconntracklogmessagesforotherprotocols.................... ................... .22
Example

1‐6SampleconntracklogmessagesfortheICMPprotocol.... ................... ..............25
Example1‐7Sampleconntracklog
messagesfortheICMPprotocol.....................................27
viii
ConnectionManagement 6.5R1v01 Vyatta
Preface
This document describes the various deployment, installation, and upgrade options
for Vyatta software.
This preface provides information about using this guide. The following topics are
presented:
• Intended Audience
• Organization of This Guide
• Document Conventions
• Vyatta Publications
 IntendedAudience
ix
ConnectionManagement 6.5R1v01 Vyatta
IntendedAudience
This guide is intended for experienced system and network administrators.
Depending on the functionality to be used, readers should have specific knowledge
in the following areas:
• Networking and data communications
• TCP/IP protocols
• General router configuration
• Routing protocols
• Network administration
• Network security
• IP services
OrganizationofThisGuide
This guide has the following aid to help you find the information you are looking for:

• Quick List of Commands
Use this list to help you quickly locate commands.
• List of Examples
Use this list to help you locate examples you’d like to try or look at.
This guide has the following chapters:
DocumentConventions
This guide uses the following advisory paragraphs, as follows.
Chapter Description Page
Chapter 1:ConnectionTracking Thischapterexplainsconnectiontrackingin
theVyattasystem.
1
Chapter 2:FlowAccounting Thischapterexplainshowtoconfigureflow
accountingusingtheVyattasystem.
59
GlossaryofAcronyms 102
 VyattaPublications
x
ConnectionManagement 6.5R1v01 Vyatta
NOTENotesprovideinformationyoumightneedtoavoidproblemsorconfigurationerrors.
This document uses the following typographic conventions.
VyattaPublications
Full product documentation is provided in the Vyatta technical library. To see what
documentation is available for your release, see the Guide to Vyatta Documentation.
This guide is posted with every release of Vyatta software and provides a great
starting point for finding the information you need.
Additional information is available on www.vyatta.com and www.vyatta.org.
WARNINGWarningsalertyoutosituationsthatmayposeathreattopersonalsafety.
CAUTIONCautionsalertyoutosituationsthatmightcauseharmtoyoursystemordamageto
equipment,orthatmayaffectservice.
Monospace

Examples, command-line output, and representations of
configuration nodes.
boldMonospace
Your input: something you type at a command line.
bold Commands, keywords, and file names, when mentioned
inline.
Objects in the user interface, such as tabs, buttons, screens,
and panes.
italics An argument or variable where you supply a value.
<key> A key on your keyboard, such as <Enter>. Combinations of
keys are joined by plus signs (“+”), as in <Ctrl>+c.
[ key1 | key2] Enumerated options for completing a syntax. An example is
[enable | disable].
num1–numN A inclusive range of numbers. An example is 1–65535, which
means 1 through 65535, inclusive.
arg1 argN A range of enumerated values. An example is eth0 eth3,
which means eth0, eth1, eth2, or eth3.
arg[ arg ]
arg[,arg ]
A value that can optionally represent a list of elements (a
space-separated list and a comma-separated list, respectively).
 VyattaPublications
xi
ConnectionManagement 6.5R1v01 Vyatta
1
ConnectionManagement 6.5R1v01 Vyatta
Chapter1:ConnectionTracking
This chapter explains connection tracking in the Vyatta system.
This chapter presents the following topics:
• Connection Tracking Overview

• Connection Tracking Commands
Chapter1:ConnectionTracking ConnectionTrackingOverview
2
ConnectionManagement 6.5R1v01 Vyatta
ConnectionTrackingOverview
This section presents the following topics:
• Logging
• Connection Tracking Table Components
• Tuning Connection Tracking
• Setting Time-Outs for Connections
The Vyatta system can be configured to track connections using the connection
tracking subsystem. Connection tracking becomes operational once either stateful
firewall, NAT, WAN load balancing, web proxy in its default transparent mode is
configured.
Once configured, entries in the connection tracking table can be displayed using the
show conntrack table command. Connection tracking entries can be removed from
the connection tracking table using the delete conntrack table command. All entries
in the connection tracking table can be removed using the reset conntrack command.
Note that the delete conntrack table and reset conntrack commands remove entries
from the connection tracking table, destroying information about their state and
load-balancing assignment, but the connections will not necessarily be blocked.
Logging
Connection events can be logged to the system log. The events to log for specific
protocols are configured using the system conntrack log commands.
For each protocol type, connection tracking can log when a connection is created,
when it is updated, and when it is terminated. For TCP, a connection is created when
a SYN is received and considered to be established once the 3-way TCP handshake
completes. For other IP protocols (for example, UDP and ICMP), the connection is
considered to be created from a tracking perspective once the first packet of the flow
is received. For all protocols, a connection is considered to be terminated when the

timeout expires or when it is cleared manually from operational mode. For TCP, a
connection is cleared when a TCP tear-down is seen or a RST flag is seen.
A separate logging process is created for each protocol or event configured. For
example, a process is created if you configure the system to log new TCP
connections. A separate process is created if you configure the system to log TCP
connection terminations. Each configuration change restarts the process.
A 2 MB buffer (that is, a netlink socket buffer) is allocated for each process. If traffic
is heavy enough to cause a buffer overflow, the system automatically increases the
buffer size by 2 MB and restarts the process. This automatic reconfiguration
continues to until the buffer reaches a maximum of 8 MB.
Chapter1:ConnectionTracking ConnectionTrackingOverview
3
ConnectionManagement 6.5R1v01 Vyatta
NOTEThereisashorttimewhentheprocessisrestartingwherenoeventsforthatprotocol/event
typearelogged.
ConnectionTrackingTableComponents
The connection tracking system consists of four components:
• The Connection Tracking Table
• The Connection Tracking Hash Table
• The Connection Tracking Expect Table
• The Connection Tracking Expect Hash Table
TheConnectionTrackingTable
The connection tracking table contains one entry for each connection being tracked
by the system. Each entry is approximately 300 bytes and is dynamically allocated as
required. The table has a maximum of 16,384 entries if the firewall is not enabled,
and 32,768 entries if the firewall is enabled. This value can be changed using the
system conntrack table-size <size> command.
TheConnectionTrackingHashTable
The connection tracking hash table makes searching the connection tracking table
faster. The hash table uses “buckets” to record entries in the connection tracking

table. By default, there are 4096 buckets in the table and each is 8 bytes.
Memory for the connection tracking hash table is statically allocated. The size of the
connection tracking hash table can be tuned using the system conntrack hash-size
<size> command. The larger the hash table size, the more static memory is used but
the faster the lookup time, with diminishing returns at higher values. The smaller the
hash table size, the lower the static memory usage but the slower the lookup time.
Typically, the connection tracking hash table is kept at one-eighth the number of
entries in the connection tracking table.
TheConnectionTrackingExpectTable
The connection tracking expect table contains one entry for each expected
connection related to an existing connection. These are generally used by
“connection tracking helper” modules (sometimes called “application-level
gateways”) for protocols such as FTP, SIP, H.323, NFS, and SQL*net.
Some application layer protocols create connections that are difficult to track. For
example, FTP in passive mode uses port 21 for control operations and a random port
between 1024 to 65535 to receive the data requested. The connection on port 21 and
the data connection are related, but the firewall has no way of knowing this unless
Chapter1:ConnectionTracking ConnectionTrackingOverview
4
ConnectionManagement 6.5R1v01 Vyatta
some additional information is provided. To resolve these sorts of problems, the
connection tracking system employs the concept of helpers. The helpers identify
related connections by searching for a pattern, or a set of patterns, within the
packets. In case of passive mode FTP, a helper looks for the port pattern that was sent
in response to a passive open request. When it finds a pattern match, it creates an
expectation entry in the connection tracking expect table, defining the profile of
connections that are expected to happen in the future. Once the first packet is seen
for an expected connection, the entry is moved from the expect table to the main
connection tracking table. Thus, expect table entries are very short-lived in a typical
network.

These helpers are enabled by default but are active only if stateful firewall or NAT
as well as connection tracking synchronization (service conntrack-sync) are enabled.
They can be disabled and, in some cases configured, using the system conntrack
modules commands associated with each helper.
Each entry is approximately 300 bytes and is dynamically allocated as required, up
to a maximum of 2048 entries if the firewall is not enabled, and 4096 entries if the
firewall is enabled. This value can be tuned using the system conntrack
expect-table-size <size> command.
TheConnectionTrackingExpectHashTable
The connection tracking expect hash table is used to make searching the connection
tracking expect table faster. There are 1024 eight-byte buckets in the table. Memory
for the connection tracking expect hash table is statically allocated. The size of the
connection tracking expect hash table is not currently configurable.
TuningConnectionTracking
For many installations, the default values of these tables will serve well. For
high-capacity systems where the number of simultaneous connections is potentially
greater than the connection tracking table can hold, the table sizes can be increased.
When considering increasing table sizes, keep the following in mind:
• Each entry in the connection tracking table and the connection tracking expect
table is approximately 300 bytes. This memory is dynamically allocated as
required. At the same time, each bucket in the connection tracking hash table is
eight bytes. This memory is statically allocated. For reasonable lookup speed,
keep approximately one bucket in the connection tracking hash table for every
eight entries in the connection tracking table.
• For better look-up performance, increase the size of the connection tracking hash
table with respect to the connection tracking table. It does not make sense to
bring the ratio for the size of these two tables closer than 1:1 (for example, if the
connection tracking table is set to 65,536 then the maximum hash table size
should not be greater than 65,536 as well).
Chapter1:ConnectionTracking ConnectionTrackingOverview

5
ConnectionManagement 6.5R1v01 Vyatta
• The maximum advisable table size is 2^20 (1048576) entries. The memory is
allocated from the kernel memory space, which will not exceed 1 Gbytes
regardless of available memory. If there is 1 Gbytes or less memory present, the
connection tracking table size will need to be calculated not to exceed the amount
of physical memory.
SettingTime‐OutsforConnections
The Vyatta system supports setting timeouts for connections according to the
connection type. You can set timeout values for generic connections, for ICMP
connections, for high-stream or generic UDP connections, or for TCP connections in
a number of different states. Define timeout values for connection types by using the
system conntrack timeout icmp, system conntrack timeout tcp, system conntrack
timeout udp, or system conntrack timeout other command.
You can also define custom timeout values to apply to a specific subset of
connections, based on a packet and flow selector. To do this, you create a rule
defining the packet and flow selector, using the system conntrack timeout custom
command.
The selector for custom timeouts is a 5-tuple consisting of source address and port,
destination address and port, and protocol. The options available for protocols
within a custom timeout rule (for example, TCP states) are the same as those
available for general connection type timeouts. Note that for packets matching a
custom timeout rule, the custom timeout overrides any timeout set for the general
connection type.
Chapter1:ConnectionTracking ConnectionTrackingCommands
6
ConnectionManagement 6.5R1v01 Vyatta
ConnectionTrackingCommands
ConfigurationCommands
systemconntrackexpect‐table‐size<size> Setsthemaximumsizeoftheconnectiontrackingexpecttable.

systemconntrackhash‐size<size> Setsthesizeofthehashtableassociatedwiththeconnection
trackingtable.
systemconntracklogicmp SpecifiesICMPconnectioneventstobelogged.
systemconntracklogother Specifiesconnectioneventstobelog gedfor
protocolsotherthan
TCP,UDP,orICMP.
systemconntracklogtcp SpecifiesTCPconnectioneventstobelog ged.
systemconntracklogudp SpecifiesUDPconnectioneventstobelogged.
systemconntrackmodulesftp SetsoptionsassociatedwithtrackingtrafficrelatedtoFTP 
connections.
systemconntrackmodulesgre SetsoptionsassociatedwithtrackingtrafficrelatedtoGRE
connections.
systemconntrackmodulesh323 SetsoptionsassociatedwithtrackingtrafficrelatedtoH.323
connections.
systemconntrackmodulesnfs SetsoptionsassociatedwithtrackingtrafficrelatedtoNFS
connections.
systemconntrackmodulespptp SetsoptionsassociatedwithtrackingtrafficrelatedtoPPTP
connections.
systemconntrackmodulessip SetsoptionsassociatedwithtrackingtrafficrelatedtoSIP
connections.
system
conntrackmodulessqlnet SetsoptionsassociatedwithtrackingtrafficrelatedtoSQL*Net
connections.
systemconntrackmodulestftp SetsoptionsassociatedwithtrackingtrafficrelatedtoTFTP
connections.
systemconntracktable‐size<size> Setsthemaximumsizeoftheconnectiontrackingtable.
systemconntracktcploose<state> Specifieswhetherpreviouslyestablishedconnectionsaretobe
trackedfor
statefultrafficfiltering.
systemconntracktimeoutcustom Definesatimeoutvalueforsetsofconnectionsselectedaccording

tosource,destination,andprotocol.
Chapter1:ConnectionTracking ConnectionTrackingCommands
7
ConnectionManagement 6.5R1v01 Vyatta
systemconntracktimeouticmp DefinesatimeoutvalueforICMPconnections.
systemconntracktimeoutother Definesatimeoutvalueforconnectionsthatuseprotocolsother
thanICMP,TCP,orUDP.
systemconntracktimeouttcp DefinesatimeoutvalueforTCPconnections.
systemconntracktimeoutudp DefinesatimeoutvalueforUDPconnections.
OperationalCommands
deleteconntracktable Deletesconnectiontrackingtableentries.
resetconntrack Completelyflushestheconnectiontrackingtable.
showconntracktable Displaysconnectiontrackingtableentries.
Chapter1:ConnectionTracking ConnectionTrackingCommands
8
ConnectionManagement 6.5R1v01 Vyatta
deleteconntracktable
Deletes connection tracking table entries.
Syntax
delete conntrack table {ipv4 | ipv6} [source src-addr [destination dst-addr]] [quiet]
CommandMode
Operational mode.
Parameters
ipv4 Delete IPv4 conntrack table entries. Either ipv4 or ipv6 must be
specified.
ipv6 Delete IPv6 conntrack table entries. Either ipv4 or ipv6 must be
specified.
src-addr Delete conntrack entries whose source address matches this
address.
If ipv4 is specified, the format is an IPv4 address, or 0.0.0.0 or the

keyword any to represent any address. A port can be specified after
the address using “:” followed by the port number. For example,
“192.168.1.48:22” represents port 22 on IPv4 address
192.168.1.48.
If ipv6 is specified, the format is an IPv6 address, or 0::0 or the
keyword any to represent any address. A port can be specified after
the address using “:” followed by the port number. For example,
“[2001:db8:2::2]:22” represents port 22 on IPv6 address
2001:db8:2::2. Note that square brackets are required around the
IPv6 address (or the keyword any) if a port is specified.
Chapter1:ConnectionTracking ConnectionTrackingCommands
9
ConnectionManagement 6.5R1v01 Vyatta
Default
All IPv4 or IPv6 conntrack table entries are deleted. If a port number is specified,
entries that use UDP or TCP protocols can be deleted. If no port is specified, then all
protocol types can be deleted.
UsageGuidelines
Use this command to delete connection entries from the connection tracking table.
Deleting a connection tracking entry does not prevent a new connection between the
same source and destination from being created. If system conntrack tcp loose
<state> is set to enable (as it is by default), any subsequent data passed between the
source and the destination will create a new entry in the connection tracking table.
If it is set to disable, then subsequent data passed between the source and destination
will be in the INVALID state until a proper TCP three-way handshake establishes a
new connection. A firewall rule that drops traffic in the INVALID state can stop this
traffic. If you wish to permanently prevent connections between a given source and
destination, you must create an explicit firewall rule to do this.
dst-addr Delete conntrack entries whose destination address matches this
address.

If ipv4 is specified, the format is an IPv4 address, or 0.0.0.0 or the
keyword any to represent any address. A port can be specified after
the address using “:” followed by the port number. For example,
“192.168.1.48:22” represents port 22 on IPv4 address
192.168.1.48.
If ipv6 is specified, the format is an IPv6 address, or 0::0 or the
keyword any to represent any address. A port can be specified after
the address using “:” followed by the port number. For example,
“[2001:db8:2::2]:22” represents port 22 on IPv6 address
2001:db8:2::2. Note that square brackets are required around the
IPv6 address if a port is specified.
quiet Do not print log messages to the console or to the system log.
Instead, create a single log entry that displays the parameters used
in the delete conntrack table command. It is typically used when
removing a large number of conntrack entries at once as it prevents
a potential flood of log messages.
Chapter1:ConnectionTracking ConnectionTrackingCommands
10
ConnectionManagement 6.5R1v01 Vyatta
NOTEAllconntracktabledeletionsarelogged.
Examples
Example 1-1 shows the output of the delete conntrack table ipv4 command. In this
case the command deletes all conntrack table entries where the source address is
192.168.1.21.
Example1‐1“deleteconntracktableipv4”sampleoutput
vyatta@vyatta:~$deleteconntracktableipv4source192.168.1.21
Deletingthefollowingconntracktableentries:
CONNIDSourceDestinationProtocol
3427168752192.168.1.21:52250192.168.1.81:22tcp[6]
Chapter1:ConnectionTracking ConnectionTrackingCommands

11
ConnectionManagement 6.5R1v01 Vyatta
resetconntrack
Completely flushes the connection tracking table.
Syntax
reset conntrack
CommandMode
Operational mode.
Parameters
None.
Default
None.
UsageGuidelines
Use this command to flush all connections currently being tracked in the connection
tracking table.
Chapter1:ConnectionTracking ConnectionTrackingCommands
12
ConnectionManagement 6.5R1v01 Vyatta
showconntracktable
Displays connection tracking table entries.
Syntax
show conntrack table {ipv4 | ipv6} [source src-addr [destination dst-addr]]
CommandMode
Operational mode.
Parameters
ipv4 Display IPv4 conntrack table entries. Either ipv4 or ipv6 must be
specified.
ipv6 Display IPv6 conntrack table entries. Either ipv4 or ipv6 must be
specified.
src-addr Conntrack entries whose source address matches this address are

to be displayed.
If ipv4 is specified, the format is an IPv4 address, or 0.0.0.0 or the
keyword any to represent any address. A port can be specified after
the address using “:” followed by the port number. For example,
“192.168.1.48:22” represents port 22 on IPv4 address
192.168.1.48.
If ipv6 is specified, the format is an IPv6 address, or 0::0 or the
keyword any to represent any address. A port can be specified after
the address using “:” followed by the port number. For example,
“[2001:db8:2::2]:22” represents port 22 on IPv6 address
2001:db8:2::2. Note that square brackets are required around the
IPv6 address (or the keyword any) if a port is specified.
Chapter1:ConnectionTracking ConnectionTrackingCommands
13
ConnectionManagement 6.5R1v01 Vyatta
Default
All IPv4 or IPv6 conntrack table entries are displayed. If a port number is specified,
entries that use UDP or TCP protocols can be shown. If no port is specified, then all
protocol types can be shown.
UsageGuidelines
Use this command to display connections currently being tracked in the connection
tracking table. Before connection tracking table entries can be displayed, one of the
following system components must be configured: Firewall (stateful), NAT, Web
Filtering, Web Caching, or WAN Load Balancing.
Examples
Example 1-2 shows the output of the show conntrack table ipv4 command. In this
case the command displays all connections where the destination port is 22. The
source and destination addresses can be anything.
Example1‐2“showconntracktableipv4”sampleoutput
vyatta@vyatta:~$showconntracktableipv4source0.0.0.0destination

0.0.0.0:22
TCPstatecodes:SS‐SYNSENT,SR‐SYNRECEIVED,ES‐ESTABLISHED,
FW‐FINWAIT,CW‐CLOSEWAIT,LA‐LASTACK,
TW‐TIMEWAIT,CLOSE‐CL,LISTEN‐LI
CONNID Source Destination Protocol TIMEOUT
3818626200 192.168.74.1:1140 192.168.74.128:22 tcp[6] ES 429809
3818625704 192.168.74.1:1145 192.168.74.200:22 tcp[6] ES 431878
dst-addr Conntrack entries whose destination address matches this address
are to be displayed.
If ipv4 is specified, the format is an IPv4 address, or 0.0.0.0 or the
keyword any to represent any address. A port can be specified after
the address using “:” followed by the port number. For example,
“192.168.1.48:22” represents port 22 on IPv4 address
192.168.1.48.
If ipv6 is specified, the format is an IPv6 address, or 0::0 or the
keyword any to represent any address. A port can be specified after
the address using “:” followed by the port number. For example,
“[2001:db8:2::2]:22” represents port 22 on IPv6 address
2001:db8:2::2. Note that square brackets are required around the
IPv6 address if a port is specified.
Chapter1:ConnectionTracking ConnectionTrackingCommands
14
ConnectionManagement 6.5R1v01 Vyatta
3818624216 10.3.0.182:1151 10.3.0.15:22 tcp[6] TW 90
Example 1-3 shows the output of the show conntrack table ipv6 command. In this
case the command displays all connections where the destination port is 22. The
source and destination addresses can be anything.
Example1‐3“showconntracktableipv6”sampleoutput
vyatta@vyatta:~$showconntracktableipv6source0:0:0:0:0:0:0:0destination
[0:0:0:0:0:0:0:0]:22

CONNID Source Destination Protocol
3818626200 [10FB:0:0:0:C:ABC:1F0C:44DA]:1140 [10FB:0:0:0:C:ABC:1F0C:45AD]:22 tcp[6]
3818672537 [10FB:0:0:0:C:ABC:1F0C:55CB]:2020 [2001:cdba:0:0:0:0:3257:9652]:22 tcp[6]