From eb9385b594bbd463fdc0704c33ca88e4d2e4cbb1 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 29 Feb 2012 03:33:44 +0100
Subject: add README file

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 README | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 README

(limited to 'README')

diff --git a/README b/README
new file mode 100644
index 0000000..5112fd5
--- /dev/null
+++ b/README
@@ -0,0 +1,57 @@
+= cttimeout: timeout policy tuning for Netfilter/conntrack =
+
+This infrastructure allows you to define fine-grain timeout
+policies per flow. Basically, from user-space, you can create
+timeout policy objects via nfct_timeout_alloc(), set the
+policy attributes, via nfct_timeout_*_attr_set(), and then
+build the ctnetlink message to communicate this new timeout
+policy to the kernel.
+
+ctnetlink keeps a list of existing policies that are identified
+by one name. Timeout policies can be attached to flows via the
+iptables CT target.
+
+This is useful in case you want to reduce the timeout of TCP
+Established state to 3000 seconds instead of default 432000
+seconds for certain flows. The infrastructure allows fine
+tuning of all existing protocol trackers and even modifying
+the timeout for several states for one given protocol.
+
+This new infrastructure uses libmnl, thus, libnetfilter_conntrack
+remains in intermediate state, meaning that it depends on
+libnfnetlink and libmnl. This should not be a problem since
+we'll require this dual support during the transition to the
+new libnetfilter_conntrack API.
+
+Under examples/ directory, you can find examples on how to
+create new timeout policies, delete them and to retrieve the
+existing list of policies.
+
+1) You can create one dummy timeout policy:
+examples# ./nfct-timeout-add test 2 6
+
+2) You can retrieve the policy that is known by `test':
+
+examples# ./nfct-timeout-get test
+.test = {
+        .l3proto = 2,
+        .l4proto = 6,
+        .policy = {
+                .SYN_SENT = 100,
+                .SYN_RECV = 120,
+                .ESTABLISHED = 60,
+                .FIN_WAIT = 432000,
+                .CLOSE_WAIT = 120,
+                .LAST_ACK = 60,
+                .TIME_WAIT = 30,
+                .CLOSE = 120,
+                .SYN_SENT2 = 10,
+        },
+};
+
+3) You may want to retrieve all timeout policies:
+
+examples# ./nfct-timeout-get
+
+The kernel-space part is planned to be available since Linux
+kernel >= 3.4.0.
-- 
cgit v1.2.3