From 82dac4fd156d541ec4e72331d628549cba874eeb Mon Sep 17 00:00:00 2001 From: Harsha Sharma Date: Thu, 18 Oct 2018 23:42:20 +0530 Subject: doc: Document ct timeout support Add documentation for creating ct timeout objects and assigning timeout policies via rules. Signed-off-by: Harsha Sharma Signed-off-by: Pablo Neira Ayuso --- doc/libnftables-json.adoc | 52 ++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 49 insertions(+), 3 deletions(-) (limited to 'doc/libnftables-json.adoc') diff --git a/doc/libnftables-json.adoc b/doc/libnftables-json.adoc index 59bac17f..98303b35 100644 --- a/doc/libnftables-json.adoc +++ b/doc/libnftables-json.adoc @@ -23,7 +23,7 @@ libnftables-json - Supported JSON schema by libnftables 'LIST_OBJECT' := 'TABLE' | 'CHAIN' | 'RULE' | 'SET' | 'MAP' | 'ELEMENT' | 'FLOWTABLE' | 'COUNTER' | 'QUOTA' | 'CT_HELPER' | 'LIMIT' | - 'METAINFO_OBJECT' + 'METAINFO_OBJECT' | 'CT_TIMEOUT' == DESCRIPTION libnftables supports JSON formatted input and output. This is implemented as an @@ -117,7 +117,8 @@ ____ *{ "add":* 'ADD_OBJECT' *}* 'ADD_OBJECT' := 'TABLE' | 'CHAIN' | 'RULE' | 'SET' | 'MAP' | 'ELEMENT' | - 'FLOWTABLE' | 'COUNTER | QUOTA' | 'CT_HELPER' | 'LIMIT' + 'FLOWTABLE' | 'COUNTER | QUOTA' | 'CT_HELPER' | 'LIMIT' | + 'CT_TIMEOUT' ____ Add a new ruleset element to the kernel. @@ -161,7 +162,7 @@ ____ 'LIST_OBJECT' := 'TABLE' | 'TABLES' | 'CHAIN' | 'CHAINS' | 'SET' | 'SETS' | 'MAP' | 'MAPS | COUNTER' | 'COUNTERS' | 'QUOTA' | 'QUOTAS' | 'CT_HELPER' | 'CT_HELPERS' | 'LIMIT' | 'LIMITS | RULESET' | - 'METER' | 'METERS' | 'FLOWTABLES' + 'METER' | 'METERS' | 'FLOWTABLES' | 'CT_TIMEOUT' ____ List ruleset elements. The plural forms are used to list all objects of that @@ -559,6 +560,42 @@ This object represents a named limit. *inv*:: If true, match if limit was exceeded. If omitted, defaults to *false*. +=== CT TIMEOUT +[verse] +____ +*{ "ct timeout": { + "family":* 'STRING'*, + "table":* 'STRING'*, + "name":* 'STRING'*, + "handle":* 'NUMBER'*, + "protocol":* 'CTH_PROTO'*, + "state":* 'STRING'*, + "value:* 'NUMBER'*, + "l3proto":* 'STRING' +*}}* + +'CTH_PROTO' := *"tcp"* | *"udp"* | *"dccp"* | *"sctp"* | *"gre"* | *"icmpv6"* | *"icmp"* | *"generic"* +____ + +This object represents a named conntrack timeout policy. + +*family*:: + The table's family. +*table*:: + The table's name. +*name*:: + The ct timeout object's name. +*handle*:: + The ct timeout object's handle. In input, used for *delete* command only. +*protocol*:: + The ct timeout object's layer 4 protocol. +*state*:: + The connection state name, for which timeout value has to be updated, e.g. *"established"*, *"syn_sent"*, *"close"* or *"close_wait"*. +*value*:: + The updated timeout value for specified connection state. +*l3proto*:: + The ct timeout object's layer 3 protocol, e.g. *"ip"* or *"ip6"*. + == STATEMENTS Statements are the building blocks for rules. Each rule consists of at least a single statement. @@ -952,6 +989,15 @@ Limit number of connections using conntrack. If *true*, match if *val* was exceeded. If omitted, defaults to *false*. +=== CT TIMEOUT +[verse] +*{ "ct timeout":* 'EXPRESSION' *}* + +Assign connection tracking timeout policy. + +*ct timeout*:: + CT timeout reference. + == EXPRESSIONS Expressions are the building blocks of (most) statements. In their most basic form, they are just immediate values represented as JSON string, integer or -- cgit v1.2.3