1 The following flags describe the state of the tracking:
2 0x01: new
3 This is the beginning of a new connection. This flag may
4 only be present for uncommitted connections.
5
6 0x02: est
7 This is part of an already existing connection. This flag
8 may only be present for committed connections.
9
10 0x04: rel
11 This is a connection that is related to an existing con‐
12 nection, for instance ICMP "destination unreachable" mes‐
13 sages or FTP data connections. This flag may only be
14 present for committed connections.
15
16 0x08: rpl
17 The flow is in the reply direction, meaning it did not
18 initiate the connection. This flag may only be present
19 for committed connections.
20
21 0x10: inv
22 The state is invalid, meaning that the connection tracker
23 couldn't identify the connection. This flag is a catch-
24 all for any problems that the connection tracker may
25 have, for example:
26
27 - L3/L4 protocol handler is not loaded/unavailable. With
28 the Linux kernel datapath, this may mean that the
29 "nf_conntrack_ipv4" or "nf_conntrack_ipv6" modules are
30 not loaded.
31
32 - L3/L4 protocol handler determines that the packet is
33 malformed.
34
35 - Packets are unexpected length for protocol.
36
37 0x20: trk
38 This packet is tracked, meaning that it has previously
39 traversed the connection tracker. If this flag is not
40 set, then no other flags will be set. If this flag is
41 set, then the packet is tracked and other flags may also
42 be set.
43
44 0x40: snat
45 This packet was transformed by source address/port trans‐
46 lation by a preceding ct action.
47
48 0x80: dnat
49 This packet was transformed by destination address/port
50 translation by a preceding ct action
51
52 Connection State Machine : http://www.iptables.info/en/connection-state.html
