summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2012-02-29 03:33:44 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2012-02-29 03:33:44 +0100
commiteb9385b594bbd463fdc0704c33ca88e4d2e4cbb1 (patch)
treeaa7db40bdcdad39f4a96fc5eccbc60a995b0154f
parentf3d2a5ee1af6fc4e548f02e4bc4e143d7d0c8d90 (diff)
add README file
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--README57
1 files changed, 57 insertions, 0 deletions
diff --git a/README b/README
new file mode 100644
index 0000000..5112fd5
--- /dev/null
+++ b/README
@@ -0,0 +1,57 @@
+= cttimeout: timeout policy tuning for Netfilter/conntrack =
+
+This infrastructure allows you to define fine-grain timeout
+policies per flow. Basically, from user-space, you can create
+timeout policy objects via nfct_timeout_alloc(), set the
+policy attributes, via nfct_timeout_*_attr_set(), and then
+build the ctnetlink message to communicate this new timeout
+policy to the kernel.
+
+ctnetlink keeps a list of existing policies that are identified
+by one name. Timeout policies can be attached to flows via the
+iptables CT target.
+
+This is useful in case you want to reduce the timeout of TCP
+Established state to 3000 seconds instead of default 432000
+seconds for certain flows. The infrastructure allows fine
+tuning of all existing protocol trackers and even modifying
+the timeout for several states for one given protocol.
+
+This new infrastructure uses libmnl, thus, libnetfilter_conntrack
+remains in intermediate state, meaning that it depends on
+libnfnetlink and libmnl. This should not be a problem since
+we'll require this dual support during the transition to the
+new libnetfilter_conntrack API.
+
+Under examples/ directory, you can find examples on how to
+create new timeout policies, delete them and to retrieve the
+existing list of policies.
+
+1) You can create one dummy timeout policy:
+examples# ./nfct-timeout-add test 2 6
+
+2) You can retrieve the policy that is known by `test':
+
+examples# ./nfct-timeout-get test
+.test = {
+ .l3proto = 2,
+ .l4proto = 6,
+ .policy = {
+ .SYN_SENT = 100,
+ .SYN_RECV = 120,
+ .ESTABLISHED = 60,
+ .FIN_WAIT = 432000,
+ .CLOSE_WAIT = 120,
+ .LAST_ACK = 60,
+ .TIME_WAIT = 30,
+ .CLOSE = 120,
+ .SYN_SENT2 = 10,
+ },
+};
+
+3) You may want to retrieve all timeout policies:
+
+examples# ./nfct-timeout-get
+
+The kernel-space part is planned to be available since Linux
+kernel >= 3.4.0.