libxt_CT: add --timeout option

This patch adds the --timeout option to allow to attach timeout policy objects to flows, eg. iptables -I PREROUTING -t raw -s 1.1.1.1 -p tcp \ -j CT --timeout custom-tcp-policy You need the nfct(8) tool which is available at: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=nfct.git To define the cttimeout policies. Example of usage: nfct timeout add custom-tcp-policy inet tcp established 1000 The new nfct tool also requires libnetfilter_cttimeout: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_cttimeout.git Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2012-02-29 13:48:36 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2012-04-02 13:37:49 +0200
commit: e8f32983048d6aa4a908b6a92da55fa71c859623 (patch)
tree: 7e3240694e7a06115f68fb04e61efd6038c0e62b /extensions/libxt_CT.man
parent: c4a6b0d437b02458fb3cb827b694fd94b3fbe044 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/extensions/libxt_CT.man b/extensions/libxt_CT.man
index ff258b79..a93eb149 100644
--- a/extensions/libxt_CT.man
+++ b/extensions/libxt_CT.man
@@ -23,3 +23,8 @@ Possible event types are: \fBnew\fP.
 \fB\-\-zone\fP \fIid\fP
 Assign this packet to zone \fIid\fP and only have lookups done in that zone.
 By default, packets have zone 0.
+.TP
+\fB\-\-timeout\fP \fIname\fP
+Use the timeout policy identified by \fIname\fP for the connection. This is
+provides more flexible timeout policy definition than global timeout values
+available at /proc/sys/net/netfilter/nf_conntrack_*_timeout_*.
author	Pablo Neira Ayuso <pablo@netfilter.org>	2012-02-29 13:48:36 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2012-04-02 13:37:49 +0200
commit	e8f32983048d6aa4a908b6a92da55fa71c859623 (patch)
tree	7e3240694e7a06115f68fb04e61efd6038c0e62b /extensions/libxt_CT.man
parent	c4a6b0d437b02458fb3cb827b694fd94b3fbe044 (diff)