diff options
author | Harsha Sharma <harshasharmaiitr@gmail.com> | 2018-10-18 23:42:20 +0530 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-10-18 20:22:01 +0200 |
commit | 82dac4fd156d541ec4e72331d628549cba874eeb (patch) | |
tree | b502f63a33da4b9b0fb0db1257ce312c2c3e6f95 /doc/libnftables-json.adoc | |
parent | 6340734d7034d2424d3a5e34c3042c97a63b8b2d (diff) |
doc: Document ct timeout support
Add documentation for creating ct timeout objects and assigning timeout
policies via rules.
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc/libnftables-json.adoc')
-rw-r--r-- | doc/libnftables-json.adoc | 52 |
1 files changed, 49 insertions, 3 deletions
diff --git a/doc/libnftables-json.adoc b/doc/libnftables-json.adoc index 59bac17f..98303b35 100644 --- a/doc/libnftables-json.adoc +++ b/doc/libnftables-json.adoc @@ -23,7 +23,7 @@ libnftables-json - Supported JSON schema by libnftables 'LIST_OBJECT' := 'TABLE' | 'CHAIN' | 'RULE' | 'SET' | 'MAP' | 'ELEMENT' | 'FLOWTABLE' | 'COUNTER' | 'QUOTA' | 'CT_HELPER' | 'LIMIT' | - 'METAINFO_OBJECT' + 'METAINFO_OBJECT' | 'CT_TIMEOUT' == DESCRIPTION libnftables supports JSON formatted input and output. This is implemented as an @@ -117,7 +117,8 @@ ____ *{ "add":* 'ADD_OBJECT' *}* 'ADD_OBJECT' := 'TABLE' | 'CHAIN' | 'RULE' | 'SET' | 'MAP' | 'ELEMENT' | - 'FLOWTABLE' | 'COUNTER | QUOTA' | 'CT_HELPER' | 'LIMIT' + 'FLOWTABLE' | 'COUNTER | QUOTA' | 'CT_HELPER' | 'LIMIT' | + 'CT_TIMEOUT' ____ Add a new ruleset element to the kernel. @@ -161,7 +162,7 @@ ____ 'LIST_OBJECT' := 'TABLE' | 'TABLES' | 'CHAIN' | 'CHAINS' | 'SET' | 'SETS' | 'MAP' | 'MAPS | COUNTER' | 'COUNTERS' | 'QUOTA' | 'QUOTAS' | 'CT_HELPER' | 'CT_HELPERS' | 'LIMIT' | 'LIMITS | RULESET' | - 'METER' | 'METERS' | 'FLOWTABLES' + 'METER' | 'METERS' | 'FLOWTABLES' | 'CT_TIMEOUT' ____ List ruleset elements. The plural forms are used to list all objects of that @@ -559,6 +560,42 @@ This object represents a named limit. *inv*:: If true, match if limit was exceeded. If omitted, defaults to *false*. +=== CT TIMEOUT +[verse] +____ +*{ "ct timeout": { + "family":* 'STRING'*, + "table":* 'STRING'*, + "name":* 'STRING'*, + "handle":* 'NUMBER'*, + "protocol":* 'CTH_PROTO'*, + "state":* 'STRING'*, + "value:* 'NUMBER'*, + "l3proto":* 'STRING' +*}}* + +'CTH_PROTO' := *"tcp"* | *"udp"* | *"dccp"* | *"sctp"* | *"gre"* | *"icmpv6"* | *"icmp"* | *"generic"* +____ + +This object represents a named conntrack timeout policy. + +*family*:: + The table's family. +*table*:: + The table's name. +*name*:: + The ct timeout object's name. +*handle*:: + The ct timeout object's handle. In input, used for *delete* command only. +*protocol*:: + The ct timeout object's layer 4 protocol. +*state*:: + The connection state name, for which timeout value has to be updated, e.g. *"established"*, *"syn_sent"*, *"close"* or *"close_wait"*. +*value*:: + The updated timeout value for specified connection state. +*l3proto*:: + The ct timeout object's layer 3 protocol, e.g. *"ip"* or *"ip6"*. + == STATEMENTS Statements are the building blocks for rules. Each rule consists of at least a single statement. @@ -952,6 +989,15 @@ Limit number of connections using conntrack. If *true*, match if *val* was exceeded. If omitted, defaults to *false*. +=== CT TIMEOUT +[verse] +*{ "ct timeout":* 'EXPRESSION' *}* + +Assign connection tracking timeout policy. + +*ct timeout*:: + CT timeout reference. + == EXPRESSIONS Expressions are the building blocks of (most) statements. In their most basic form, they are just immediate values represented as JSON string, integer or |