summaryrefslogtreecommitdiffstats
path: root/doc/stateful-objects.txt
blob: 6de4e8bd023fbe36a45c29f659674c795997ae71 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
CT HELPER
~~~~~~~~~
[verse]
*ct* helper 'helper' {type 'type' protocol 'protocol' ; [l3proto 'family' ;] }

Ct helper is used to define connection tracking helpers that can then be used in
combination with the *ct helper set* statement. 'type' and 'protocol' are
mandatory, l3proto is derived from the table family by default, i.e. in the inet
table the kernel will try to load both the ipv4 and ipv6 helper backends, if
they are supported by the kernel.

.conntrack helper specifications
[options="header"]
|=================
|Keyword | Description | Type
| type |
name of helper type |
quoted string (e.g. "ftp")
|protocol |
layer 4 protocol of the helper |
string (e.g. ip)
|l3proto |
layer 3 protocol of the helper |
address family (e.g. ip)
|=================

.defining and assigning ftp helper
----------------------------------
Unlike iptables, helper assignment needs to be performed after the conntrack
lookup has completed, for example with the default 0 hook priority.

table inet myhelpers {
  ct helper ftp-standard {
     type "ftp" protocol tcp
  }
  chain prerouting {
      type filter hook prerouting priority 0;
      tcp dport 21 ct helper set "ftp-standard"
  }
}
----------------------------------

CT TIMEOUT
~~~~~~~~~~
[verse]
*ct* timeout 'name' {protocol 'protocol' ; policy = {'state': 'value'} ;[l3proto 'family' ;] }

Ct timeout is used to update connection tracking timeout values.Timeout policies are assigned
with the *ct timeout set* statement. 'protocol' and 'policy' are
  mandatory, l3proto is derived from the table family by default.

.conntrack timeout specifications
[options="header"]
|=================
|Keyword | Description | Type
| protocol |
layer 4 protocol of the timeout object |
string (e.g. ip)
|state |
connection state name |
string (e.g. "established")
|value |
timeout value for connection state |
unsigned integer
|l3proto |
layer 3 protocol of the timeout object |
address family (e.g. ip)
|=================

.defining and assigning ct timeout policy
----------------------------------
table ip filter {
	ct timeout customtimeout {
		protocol tcp;
		l3proto ip
		policy = { established: 120, close: 20 }
	}

	chain output {
		type filter hook output priority filter; policy accept;
		ct timeout set "customtimeout"
	}
}
----------------------------------

.testing the updated timeout policy
----------------------------------

% conntrack -E

It should display:

[UPDATE] tcp      6 120 ESTABLISHED src=172.16.19.128 dst=172.16.19.1
sport=22 dport=41360 [UNREPLIED] src=172.16.19.1 dst=172.16.19.128
sport=41360 dport=22
----------------------------------

COUNTER
~~~~~~~
[verse]
*counter* [packets bytes]

.Counter specifications
[options="header"]
|=================
|Keyword | Description | Type
|packets |
initial count of packets |
unsigned integer (64 bit)
|bytes |
initial count of bytes |
unsigned integer (64 bit)
|=================

QUOTA
~~~~~
[verse]
*quota* [over | until] [used]

.Quota specifications
[options="header"]
|=================
|Keyword | Description | Type
|quota |
quota limit, used as the quota name |
Two arguments, unsigned integer (64 bit) and string: bytes, kbytes, mbytes.
"over" and "until" go before these arguments
|used |
initial value of used quota |
Two arguments, unsigned integer (64 bit) and string: bytes, kbytes, mbytes
|=================