.TH NFCT 8 "Feb 29, 2012" "" ""

.\" Man page written by Pablo Neira Ayuso <pablo@netfilter.org> (Feb 2012)

.SH NAME
nfct \- command line tool to configure with the connection tracking system
.SH SYNOPSIS
.BR "nfct command subsystem [parameters]"
.SH DESCRIPTION
.B nfct
is the command line tool that allows to configure the Connection Tracking
System.
.SH COMMANDS
.TP
.BI "list "
List the existing objects.
.TP
.BI "add "
Add new object.
.TP
.BI "delete "
Delete an object.
.TP
.BI "get "
Get an existing object.
.SH SUBSYS
By the time this manpage has been written, the supported subsystem are
.B timeout
.TP
.BI "timeout "
The timeout subsystem allows you to define fine-grain timeout policies.
.TP
.BI "helper "
The helper subsystem allows you to configure userspace helpers.
.TP
.BI "version "
Displays the version information.
.TP
.BI "help "
Displays the help message.
.SH EXAMPLE
.TP
.B nfct add timeout test-tcp inet tcp established 100 close 10 close_wait 10
.TP
This creates a timeout policy for tcp using 100 seconds for the ESTABLISHED state, 10 seconds for CLOSE state and 10 seconds for the CLOSE_WAIT state.
.TP
Then, you can attach the timeout policy with the iptables CT target:
.TP
.B iptables -I PREROUTING -t raw -p tcp -j CT --timeout test-tcp
.TP
.B iptables -I OUTPUT -t raw -p tcp -j CT --timeout test-tcp
.TP
You can test that the timeout policy with:
.TP
.B conntrack -E -p tcp
.TP
It should display:
.TP
.B [UPDATE] tcp      6 100 ESTABLISHED src=192.168.39.100 dst=57.126.1.20 sport=56463 dport=80 src=57.126.1.20 dst=192.168.39.100 sport=80 dport=56463 [ASSURED]
.SH SEE ALSO
.BR iptables (8), conntrack (8)
.SH BUGS
Please, report them to netfilter-devel@vger.kernel.org or file a bug in
Netfilter's bugzilla (https://bugzilla.netfilter.org).
.SH AUTHORS
Pablo Neira Ayuso wrote and maintains the nfct tool.
.PP
Man page written by Pablo Neira Ayuso <pablo@netfilter.org>.