diff options
author | Stéphane Veyret <sveyret@gmail.com> | 2019-07-09 15:02:09 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-07-16 21:26:52 +0200 |
commit | 1dd08fcfa07a4e5bacc14b4e4a27ed64581f2e41 (patch) | |
tree | 71cd776ee6b257d9a0cbefec922165d8c93cbe9b /doc | |
parent | 543e7f405e3dc502ef0a69f0b85a745bdbc998ee (diff) |
src: add ct expectations support
This modification allow to directly add/list/delete expectations.
Signed-off-by: Stéphane Veyret <sveyret@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/libnftables-json.adoc | 55 | ||||
-rw-r--r-- | doc/stateful-objects.txt | 49 |
2 files changed, 101 insertions, 3 deletions
diff --git a/doc/libnftables-json.adoc b/doc/libnftables-json.adoc index 429f530d..6877f054 100644 --- a/doc/libnftables-json.adoc +++ b/doc/libnftables-json.adoc @@ -23,7 +23,7 @@ libnftables-json - Supported JSON schema by libnftables 'LIST_OBJECT' := 'TABLE' | 'CHAIN' | 'RULE' | 'SET' | 'MAP' | 'ELEMENT' | 'FLOWTABLE' | 'COUNTER' | 'QUOTA' | 'CT_HELPER' | 'LIMIT' | - 'METAINFO_OBJECT' | 'CT_TIMEOUT' + 'METAINFO_OBJECT' | 'CT_TIMEOUT' | 'CT_EXPECTATION' == DESCRIPTION libnftables supports JSON formatted input and output. This is implemented as an @@ -118,7 +118,7 @@ ____ 'ADD_OBJECT' := 'TABLE' | 'CHAIN' | 'RULE' | 'SET' | 'MAP' | 'ELEMENT' | 'FLOWTABLE' | 'COUNTER | QUOTA' | 'CT_HELPER' | 'LIMIT' | - 'CT_TIMEOUT' + 'CT_TIMEOUT' | 'CT_EXPECTATION' ____ Add a new ruleset element to the kernel. @@ -162,7 +162,8 @@ ____ 'LIST_OBJECT' := 'TABLE' | 'TABLES' | 'CHAIN' | 'CHAINS' | 'SET' | 'SETS' | 'MAP' | 'MAPS | COUNTER' | 'COUNTERS' | 'QUOTA' | 'QUOTAS' | 'CT_HELPER' | 'CT_HELPERS' | 'LIMIT' | 'LIMITS | RULESET' | - 'METER' | 'METERS' | 'FLOWTABLES' | 'CT_TIMEOUT' + 'METER' | 'METERS' | 'FLOWTABLES' | 'CT_TIMEOUT' | + 'CT_EXPECTATION' ____ List ruleset elements. The plural forms are used to list all objects of that @@ -597,6 +598,45 @@ This object represents a named conntrack timeout policy. *l3proto*:: The ct timeout object's layer 3 protocol, e.g. *"ip"* or *"ip6"*. +=== CT EXPECTATION +[verse] +____ +*{ "ct expectation": { + "family":* 'STRING'*, + "table":* 'STRING'*, + "name":* 'STRING'*, + "handle":* 'NUMBER'*, + "l3proto":* 'STRING' + "protocol":* 'CTH_PROTO'*, + "dport":* 'NUMBER'*, + "timeout:* 'NUMBER'*, + "size:* 'NUMBER'*, +*}}* + +'CTH_PROTO' := *"tcp"* | *"udp"* | *"dccp"* | *"sctp"* | *"gre"* | *"icmpv6"* | *"icmp"* | *"generic"* +____ + +This object represents a named conntrack expectation. + +*family*:: + The table's family. +*table*:: + The table's name. +*name*:: + The ct expectation object's name. +*handle*:: + The ct expectation object's handle. In input, it is used by *delete* command only. +*l3proto*:: + The ct expectation object's layer 3 protocol, e.g. *"ip"* or *"ip6"*. +*protocol*:: + The ct expectation object's layer 4 protocol. +*dport*:: + The destination port of the expected connection. +*timeout*:: + The time in millisecond that this expectation will live. +*size*:: + The maximum count of expectations to be living in the same time. + == STATEMENTS Statements are the building blocks for rules. Each rule consists of at least one. @@ -1004,6 +1044,15 @@ Assign connection tracking timeout policy. *ct timeout*:: CT timeout reference. +=== CT EXPECTATION +[verse] +*{ "ct expectation":* 'EXPRESSION' *}* + +Assign connection tracking expectation. + +*ct expectation*:: + CT expectation reference. + === XT [verse] *{ "xt": null }* diff --git a/doc/stateful-objects.txt b/doc/stateful-objects.txt index cc1b698d..32a3a5c8 100644 --- a/doc/stateful-objects.txt +++ b/doc/stateful-objects.txt @@ -95,6 +95,55 @@ sport=22 dport=41360 [UNREPLIED] src=172.16.19.1 dst=172.16.19.128 sport=41360 dport=22 ---------------------------------- +CT EXPECTATION +~~~~~~~~~~~~~~ +[verse] +*ct expectation* 'name' *{ protocol* 'protocol' *; dport* 'dport' *; timeout* 'timeout' *; size* 'size' *; [*l3proto* 'family' *;*] *}* + +Ct expectation is used to create connection expectations. Expectations are +assigned with the *ct expectation set* statement. 'protocol', 'dport', +'timeout' and 'size' are mandatory, l3proto is derived from the table family +by default. + +.conntrack expectation specifications +[options="header"] +|================= +|Keyword | Description | Type +|protocol | +layer 4 protocol of the expectation object | +string (e.g. ip) +|dport | +destination port of expected connection | +unsigned integer +|timeout | +timeout value for expectation | +unsigned integer +|size | +size value for expectation | +unsigned integer +|l3proto | +layer 3 protocol of the expectation object | +address family (e.g. ip) +|================= + +.defining and assigning ct expectation policy +--------------------------------------------- +table ip filter { + ct expectation expect { + protocol udp + dport 9876 + timeout 2m + size 8 + l3proto ip + } + + chain input { + type filter hook input priority filter; policy accept; + ct expectation set "expect" + } +} +---------------------------------- + COUNTER ~~~~~~~ [verse] |