diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-05-26 18:03:32 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-05-26 18:04:11 +0200 |
commit | 318756cd4df1cb7760bf32d3e1d3756c41d1858b (patch) | |
tree | 16d9a45e4e6adf7b03a0f3f5eae0d9001b91dbb0 /README.nfct | |
parent | 7276986d8a2d539fde3835e00e217f52f6e595ac (diff) | |
download | conntrack-tools-318756cd4df1cb7760bf32d3e1d3756c41d1858b.tar.gz conntrack-tools-318756cd4df1cb7760bf32d3e1d3756c41d1858b.zip |
add README.nfct
This files includes some short description on `nfct'.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'README.nfct')
-rw-r--r-- | README.nfct | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/README.nfct b/README.nfct new file mode 100644 index 0000000..4d8e6cc --- /dev/null +++ b/README.nfct @@ -0,0 +1,62 @@ += nfct: command line tool to interact with the Connection Tracking System = + +This tool only supports the cttimeout infrastructure by now. However, +the plan is that it will replace `conntrack' with a syntax that looks +more similar to `ip' and `nftables' tools (in the long run!). + +== cttimeout: fine-grain timeout tuning for the Connection Tracking System == + +The `nfct' command line tool allows you to define custom timeout +policies: + +# nfct timeout add custom-tcp-policy1 inet tcp established 100 + +You can also retrieve the existing timeout policies with: + +# nfct timeout list +.tcp-policy = { + .l3proto = 2, + .l4proto = 6, + .policy = { + .SYN_SENT = 120, + .SYN_RECV = 60, + .ESTABLISHED = 100, + .FIN_WAIT = 120, + .CLOSE_WAIT = 60, + .LAST_ACK = 30, + .TIME_WAIT = 120, + .CLOSE = 10, + .SYN_SENT2 = 120, + .RETRANS = 300, + .UNACKNOWLEDGED = 300, + }, +}; + +Then, you can use the timeout policy with iptables: + +# iptables -I PREROUTING -t raw -s 1.1.1.1 -d 2.2.2.2 -p tcp \ + -j CT --timeout custom-tcp-policy1 + +You can define policies for other protocols as well, eg: + +# nfct timeout add custom-udp-policy1 inet udp unreplied 10 replied 20 + +And attach them via iptables: + +# iptables -I PREROUTING -t raw -s 1.1.1.1 -d 2.2.2.2 -p udp \ + -j CT --timeout custom-udp-policy1 + +== Compilation & Installation == + +This tool requires libmnl and libnetfilter_cttimeout. You also require +nfnetlink_cttimeout support in the Linux kernel. + +If you obtain a working copy from git, you have to run: + +$ autoreconf -fi # this is the lingo that replaces old autogen.sh scripts +$ ./configure --prefix=/usr +$ make +$ sudo make install + +-o- +(c) 2012 by Pablo Neira Ayuso <pablo@netfilter.org> |