summaryrefslogtreecommitdiffstats
path: root/doc/stateful-objects.txt
diff options
context:
space:
mode:
authorSt├ęphane Veyret <sveyret@gmail.com>2019-07-09 15:02:09 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2019-07-16 21:26:52 +0200
commit1dd08fcfa07a4e5bacc14b4e4a27ed64581f2e41 (patch)
tree71cd776ee6b257d9a0cbefec922165d8c93cbe9b /doc/stateful-objects.txt
parent543e7f405e3dc502ef0a69f0b85a745bdbc998ee (diff)
src: add ct expectations support
This modification allow to directly add/list/delete expectations. Signed-off-by: St├ęphane Veyret <sveyret@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc/stateful-objects.txt')
-rw-r--r--doc/stateful-objects.txt49
1 files changed, 49 insertions, 0 deletions
diff --git a/doc/stateful-objects.txt b/doc/stateful-objects.txt
index cc1b698d..32a3a5c8 100644
--- a/doc/stateful-objects.txt
+++ b/doc/stateful-objects.txt
@@ -95,6 +95,55 @@ sport=22 dport=41360 [UNREPLIED] src=172.16.19.1 dst=172.16.19.128
sport=41360 dport=22
----------------------------------
+CT EXPECTATION
+~~~~~~~~~~~~~~
+[verse]
+*ct expectation* 'name' *{ protocol* 'protocol' *; dport* 'dport' *; timeout* 'timeout' *; size* 'size' *; [*l3proto* 'family' *;*] *}*
+
+Ct expectation is used to create connection expectations. Expectations are
+assigned with the *ct expectation set* statement. 'protocol', 'dport',
+'timeout' and 'size' are mandatory, l3proto is derived from the table family
+by default.
+
+.conntrack expectation specifications
+[options="header"]
+|=================
+|Keyword | Description | Type
+|protocol |
+layer 4 protocol of the expectation object |
+string (e.g. ip)
+|dport |
+destination port of expected connection |
+unsigned integer
+|timeout |
+timeout value for expectation |
+unsigned integer
+|size |
+size value for expectation |
+unsigned integer
+|l3proto |
+layer 3 protocol of the expectation object |
+address family (e.g. ip)
+|=================
+
+.defining and assigning ct expectation policy
+---------------------------------------------
+table ip filter {
+ ct expectation expect {
+ protocol udp
+ dport 9876
+ timeout 2m
+ size 8
+ l3proto ip
+ }
+
+ chain input {
+ type filter hook input priority filter; policy accept;
+ ct expectation set "expect"
+ }
+}
+----------------------------------
+
COUNTER
~~~~~~~
[verse]