diff options
author | Harsha Sharma <harshasharmaiitr@gmail.com> | 2018-10-18 23:42:20 +0530 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-10-18 20:22:01 +0200 |
commit | 82dac4fd156d541ec4e72331d628549cba874eeb (patch) | |
tree | b502f63a33da4b9b0fb0db1257ce312c2c3e6f95 /doc/stateful-objects.txt | |
parent | 6340734d7034d2424d3a5e34c3042c97a63b8b2d (diff) |
doc: Document ct timeout support
Add documentation for creating ct timeout objects and assigning timeout
policies via rules.
Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'doc/stateful-objects.txt')
-rw-r--r-- | doc/stateful-objects.txt | 59 |
1 files changed, 57 insertions, 2 deletions
diff --git a/doc/stateful-objects.txt b/doc/stateful-objects.txt index 83a25753..6de4e8bd 100644 --- a/doc/stateful-objects.txt +++ b/doc/stateful-objects.txt @@ -1,5 +1,5 @@ -CT -~~ +CT HELPER +~~~~~~~~~ [verse] *ct* helper 'helper' {type 'type' protocol 'protocol' ; [l3proto 'family' ;] } @@ -40,6 +40,61 @@ table inet myhelpers { } ---------------------------------- +CT TIMEOUT +~~~~~~~~~~ +[verse] +*ct* timeout 'name' {protocol 'protocol' ; policy = {'state': 'value'} ;[l3proto 'family' ;] } + +Ct timeout is used to update connection tracking timeout values.Timeout policies are assigned +with the *ct timeout set* statement. 'protocol' and 'policy' are + mandatory, l3proto is derived from the table family by default. + +.conntrack timeout specifications +[options="header"] +|================= +|Keyword | Description | Type +| protocol | +layer 4 protocol of the timeout object | +string (e.g. ip) +|state | +connection state name | +string (e.g. "established") +|value | +timeout value for connection state | +unsigned integer +|l3proto | +layer 3 protocol of the timeout object | +address family (e.g. ip) +|================= + +.defining and assigning ct timeout policy +---------------------------------- +table ip filter { + ct timeout customtimeout { + protocol tcp; + l3proto ip + policy = { established: 120, close: 20 } + } + + chain output { + type filter hook output priority filter; policy accept; + ct timeout set "customtimeout" + } +} +---------------------------------- + +.testing the updated timeout policy +---------------------------------- + +% conntrack -E + +It should display: + +[UPDATE] tcp 6 120 ESTABLISHED src=172.16.19.128 dst=172.16.19.1 +sport=22 dport=41360 [UNREPLIED] src=172.16.19.1 dst=172.16.19.128 +sport=41360 dport=22 +---------------------------------- + COUNTER ~~~~~~~ [verse] |