From 82dac4fd156d541ec4e72331d628549cba874eeb Mon Sep 17 00:00:00 2001 From: Harsha Sharma Date: Thu, 18 Oct 2018 23:42:20 +0530 Subject: doc: Document ct timeout support Add documentation for creating ct timeout objects and assigning timeout policies via rules. Signed-off-by: Harsha Sharma Signed-off-by: Pablo Neira Ayuso --- doc/stateful-objects.txt | 59 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 57 insertions(+), 2 deletions(-) (limited to 'doc/stateful-objects.txt') diff --git a/doc/stateful-objects.txt b/doc/stateful-objects.txt index 83a25753..6de4e8bd 100644 --- a/doc/stateful-objects.txt +++ b/doc/stateful-objects.txt @@ -1,5 +1,5 @@ -CT -~~ +CT HELPER +~~~~~~~~~ [verse] *ct* helper 'helper' {type 'type' protocol 'protocol' ; [l3proto 'family' ;] } @@ -40,6 +40,61 @@ table inet myhelpers { } ---------------------------------- +CT TIMEOUT +~~~~~~~~~~ +[verse] +*ct* timeout 'name' {protocol 'protocol' ; policy = {'state': 'value'} ;[l3proto 'family' ;] } + +Ct timeout is used to update connection tracking timeout values.Timeout policies are assigned +with the *ct timeout set* statement. 'protocol' and 'policy' are + mandatory, l3proto is derived from the table family by default. + +.conntrack timeout specifications +[options="header"] +|================= +|Keyword | Description | Type +| protocol | +layer 4 protocol of the timeout object | +string (e.g. ip) +|state | +connection state name | +string (e.g. "established") +|value | +timeout value for connection state | +unsigned integer +|l3proto | +layer 3 protocol of the timeout object | +address family (e.g. ip) +|================= + +.defining and assigning ct timeout policy +---------------------------------- +table ip filter { + ct timeout customtimeout { + protocol tcp; + l3proto ip + policy = { established: 120, close: 20 } + } + + chain output { + type filter hook output priority filter; policy accept; + ct timeout set "customtimeout" + } +} +---------------------------------- + +.testing the updated timeout policy +---------------------------------- + +% conntrack -E + +It should display: + +[UPDATE] tcp 6 120 ESTABLISHED src=172.16.19.128 dst=172.16.19.1 +sport=22 dport=41360 [UNREPLIED] src=172.16.19.1 dst=172.16.19.128 +sport=41360 dport=22 +---------------------------------- + COUNTER ~~~~~~~ [verse] -- cgit v1.2.3