From 7276986d8a2d539fde3835e00e217f52f6e595ac Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sat, 26 May 2012 18:02:12 +0200 Subject: add nfct(8) manpage Signed-off-by: Pablo Neira Ayuso --- Makefile.am | 2 +- nfct.8 | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 nfct.8 diff --git a/Makefile.am b/Makefile.am index afb4595..bd366bf 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2,7 +2,7 @@ include Make_global.am ACLOCAL_AMFLAGS = -I m4 -man_MANS = conntrack.8 conntrackd.8 +man_MANS = conntrack.8 conntrackd.8 nfct.8 EXTRA_DIST = $(man_MANS) Make_global.am doc m4 SUBDIRS = extensions src diff --git a/nfct.8 b/nfct.8 new file mode 100644 index 0000000..6f5190a --- /dev/null +++ b/nfct.8 @@ -0,0 +1,64 @@ +.TH NFCT 8 "Feb 29, 2012" "" "" + +.\" Man page written by Pablo Neira Ayuso (Feb 2012) + +.SH NAME +nfct \- command line tool to interact with the connection tracking system +.SH SYNOPSIS +.BR "nfct subsystem command [parameters]" +.SH DESCRIPTION +.B nfct +is the command line tool that allows you Netfilter's manipulate Connection Tracking System. +.SH SUBSYS +By the time this manpage has been written, the supported subsystem are +.B timeout +.TP +.BI "timeout " +The timeout subsystem allows you to define fine-grain timeout policies. +.TP +.BI "version " +Displays the version information. +.TP +.BI "help " +Displays the help message. +.SH TIMEOUT SUBSYSTEM +.TP +.BI "list " +List the existing timeout policies. +.TP +.BI "add " +Add new timeout policy. +.TP +.BI "delete " +Delete timeout policy. +.TP +.BI "get " +Get existing timeout policy. +.SH EXAMPLE +.TP +.B nfct timeout add test-tcp inet tcp established 100 close 10 close_wait 10 +.TP +This creates a timeout policy for tcp using 100 seconds for the ESTABLISHED state, 10 seconds for CLOSE state and 10 seconds for the CLOSE_WAIT state. +.TP +Then, you can attach the timeout policy with the iptables CT target: +.TP +.B iptables -I PREROUTING -t raw -p tcp -j CT --timeout test-tcp +.TP +.B iptables -I OUTPUT -t raw -p tcp -j CT --timeout test-tcp +.TP +You can test that the timeout policy with: +.TP +.B conntrack -E -p tcp +.TP +It should display: +.TP +.B [UPDATE] tcp 6 100 ESTABLISHED src=192.168.39.100 dst=57.126.1.20 sport=56463 dport=80 src=57.126.1.20 dst=192.168.39.100 sport=80 dport=56463 [ASSURED] +.SH SEE ALSO +.BR iptables (8), conntrack (8) +.SH BUGS +Please, report them to netfilter-devel@vger.kernel.org or file a bug in +Netfilter's bugzilla (https://bugzilla.netfilter.org). +.SH AUTHORS +Pablo Neira Ayuso wrote and maintains the nfct tool. +.PP +Man page written by Pablo Neira Ayuso . -- cgit v1.2.3