summaryrefslogtreecommitdiff
path: root/docs/configuration/system/conntrack.rst
diff options
context:
space:
mode:
authorNicolas Fort <nicolasfort1988@gmail.com>2023-12-27 07:45:07 -0300
committerNicolas Fort <nicolasfort1988@gmail.com>2023-12-27 07:45:07 -0300
commit3c4d9ec2e93740eb9bd398736b228af356d2b2a8 (patch)
treed22b9a91962fe6ff65e2b02ae90729b226bb3154 /docs/configuration/system/conntrack.rst
parent0893ca769b1796d2d61dc26a0c0c13d1eda56f5e (diff)
downloadvyos-documentation-3c4d9ec2e93740eb9bd398736b228af356d2b2a8.tar.gz
vyos-documentation-3c4d9ec2e93740eb9bd398736b228af356d2b2a8.zip
System Conntrack: update commands for timeout rules; update commands for ignore rules, since both ipv4 and ipv6 rules are supported.
Diffstat (limited to 'docs/configuration/system/conntrack.rst')
-rw-r--r--docs/configuration/system/conntrack.rst149
1 files changed, 93 insertions, 56 deletions
diff --git a/docs/configuration/system/conntrack.rst b/docs/configuration/system/conntrack.rst
index 68a4f2b8..6ed5fef7 100644
--- a/docs/configuration/system/conntrack.rst
+++ b/docs/configuration/system/conntrack.rst
@@ -46,9 +46,23 @@ Configure
| Use `delete system conntrack modules` to deactive all modules.
| Or, for example ftp, `delete system conntrack modules ftp`.
+.. cfgcmd:: set system conntrack tcp half-open-connections <1-21474836>
+ :defaultvalue:
-Define Conection Timeouts
-=========================
+ Set the maximum number of TCP half-open connections.
+
+.. cfgcmd:: set system conntrack tcp loose <enable | disable>
+ :defaultvalue:
+
+ Policy to track previously established connections.
+
+.. cfgcmd:: set system conntrack tcp max-retrans <1-2147483647>
+ :defaultvalue:
+
+ Set the number of TCP maximum retransmit attempts.
+
+Contrack Timeouts
+=================
VyOS supports setting timeouts for connections according to the
connection type. You can set timeout values for generic connections, for ICMP
@@ -82,34 +96,48 @@ states.
Set the timeout in secounds for a protocol or state.
-
You can also define custom timeout values to apply to a specific subset of
connections, based on a packet and flow selector. To do this, you need to
create a rule defining the packet and flow selector.
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> description <test>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ description <test>
Set a rule description.
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ destination address <ip-address>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ source address <ip-address>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination address <ip-address>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> source address <ip-address>
-
- set a destination and/or source address. Accepted input:
+ Set a destination and/or source address. Accepted input for ipv4:
.. code-block:: none
- <x.x.x.x> IP address to match
- <x.x.x.x/x> Subnet to match
- <x.x.x.x>-<x.x.x.x>
- IP range to match
- !<x.x.x.x> Match everything except the specified address
- !<x.x.x.x/x> Match everything except the specified subnet
- !<x.x.x.x>-<x.x.x.x>
- Match everything except the specified range
-
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> destination port <value>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> source port <value>
+ set system conntrack timeout custom ipv4 rule <1-999999> [source | destination] address
+ Possible completions:
+ <x.x.x.x> IPv4 address to match
+ <x.x.x.x/x> IPv4 prefix to match
+ <x.x.x.x>-<x.x.x.x> IPv4 address range to match
+ !<x.x.x.x> Match everything except the specified address
+ !<x.x.x.x/x> Match everything except the specified prefix
+ !<x.x.x.x>-<x.x.x.x> Match everything except the specified range
+
+ set system conntrack timeout custom ipv6 rule <1-999999> [source | destination] address
+ Possible completions:
+ <h:h:h:h:h:h:h:h> IP address to match
+ <h:h:h:h:h:h:h:h/x> Subnet to match
+ <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>
+ IP range to match
+ !<h:h:h:h:h:h:h:h> Match everything except the specified address
+ !<h:h:h:h:h:h:h:h/x> Match everything except the specified prefix
+ !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>
+ Match everything except the specified range
+
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ destination port <value>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ source port <value>
Set a destination and/or source port. Accepted input:
@@ -123,49 +151,58 @@ create a rule defining the packet and flow selector.
The whole list can also be "negated" using '!'. For example:
`!22,telnet,http,123,1001-1005``
-
-
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol icmp <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol other <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp close-wait <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp established <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp fin-wait <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp last-ack <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-recv <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp syn-sent <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol tcp time-wait <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp other <1-21474836>
-.. cfgcmd:: set system conntrack timeout custom rule <1-9999> protocol udp stream <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp close <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp close-wait <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp established <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp fin-wait <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp last-ack <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp syn-recv <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp syn-sent <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol tcp time-wait <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol udp replied <1-21474836>
+.. cfgcmd:: set system conntrack timeout custom [ipv4 | ipv6] rule <1-999999>
+ protocol udp unreplied <1-21474836>
Set the timeout in secounds for a protocol or state in a custom rule.
-
-.. cfgcmd:: set system conntrack tcp half-open-connections <1-21474836>
- :defaultvalue:
-
- Set the maximum number of TCP half-open connections.
-
-.. cfgcmd:: set system conntrack tcp loose <enable | disable>
- :defaultvalue:
-
- Policy to track previously established connections.
-
-.. cfgcmd:: set system conntrack tcp max-retrans <1-2147483647>
- :defaultvalue:
-
- Set the number of TCP maximum retransmit attempts.
-
-.. cfgcmd:: set system conntrack ignore rule <1-9999> description <text>
-.. cfgcmd:: set system conntrack ignore rule <1-9999> destination address <ip-address>
-.. cfgcmd:: set system conntrack ignore rule <1-9999> destination port <port>
-.. cfgcmd:: set system conntrack ignore rule <1-9999> inbound-interface <interface>
-.. cfgcmd:: set system conntrack ignore rule <1-9999> protocol <protocol>
-.. cfgcmd:: set system conntrack ignore rule <1-9999> source address <ip-address>
-.. cfgcmd:: set system conntrack ignore rule <1-9999> source port <port>
+Conntrack ignore rules
+======================
Customized ignore rules, based on a packet and flow selector.
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ description <text>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ destination address <ip-address>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ destination port <port>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ inbound-interface <interface>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ protocol <protocol>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ source address <ip-address>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ source port <port>
+.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>
+ tcp flags [not] <text>
+
+ Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``,
+ ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for
+ inverted selection use ``not``, as shown in the example.
+
+Conntrack log
+=============
+
.. cfgcmd:: set system conntrack log icmp destroy
.. cfgcmd:: set system conntrack log icmp new
.. cfgcmd:: set system conntrack log icmp update