summaryrefslogtreecommitdiff
path: root/README.nfct
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2012-05-26 18:03:32 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2012-05-26 18:04:11 +0200
commit318756cd4df1cb7760bf32d3e1d3756c41d1858b (patch)
tree16d9a45e4e6adf7b03a0f3f5eae0d9001b91dbb0 /README.nfct
parent7276986d8a2d539fde3835e00e217f52f6e595ac (diff)
downloadconntrack-tools-318756cd4df1cb7760bf32d3e1d3756c41d1858b.tar.gz
conntrack-tools-318756cd4df1cb7760bf32d3e1d3756c41d1858b.zip
add README.nfct
This files includes some short description on `nfct'. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'README.nfct')
-rw-r--r--README.nfct62
1 files changed, 62 insertions, 0 deletions
diff --git a/README.nfct b/README.nfct
new file mode 100644
index 0000000..4d8e6cc
--- /dev/null
+++ b/README.nfct
@@ -0,0 +1,62 @@
+= nfct: command line tool to interact with the Connection Tracking System =
+
+This tool only supports the cttimeout infrastructure by now. However,
+the plan is that it will replace `conntrack' with a syntax that looks
+more similar to `ip' and `nftables' tools (in the long run!).
+
+== cttimeout: fine-grain timeout tuning for the Connection Tracking System ==
+
+The `nfct' command line tool allows you to define custom timeout
+policies:
+
+# nfct timeout add custom-tcp-policy1 inet tcp established 100
+
+You can also retrieve the existing timeout policies with:
+
+# nfct timeout list
+.tcp-policy = {
+ .l3proto = 2,
+ .l4proto = 6,
+ .policy = {
+ .SYN_SENT = 120,
+ .SYN_RECV = 60,
+ .ESTABLISHED = 100,
+ .FIN_WAIT = 120,
+ .CLOSE_WAIT = 60,
+ .LAST_ACK = 30,
+ .TIME_WAIT = 120,
+ .CLOSE = 10,
+ .SYN_SENT2 = 120,
+ .RETRANS = 300,
+ .UNACKNOWLEDGED = 300,
+ },
+};
+
+Then, you can use the timeout policy with iptables:
+
+# iptables -I PREROUTING -t raw -s 1.1.1.1 -d 2.2.2.2 -p tcp \
+ -j CT --timeout custom-tcp-policy1
+
+You can define policies for other protocols as well, eg:
+
+# nfct timeout add custom-udp-policy1 inet udp unreplied 10 replied 20
+
+And attach them via iptables:
+
+# iptables -I PREROUTING -t raw -s 1.1.1.1 -d 2.2.2.2 -p udp \
+ -j CT --timeout custom-udp-policy1
+
+== Compilation & Installation ==
+
+This tool requires libmnl and libnetfilter_cttimeout. You also require
+nfnetlink_cttimeout support in the Linux kernel.
+
+If you obtain a working copy from git, you have to run:
+
+$ autoreconf -fi # this is the lingo that replaces old autogen.sh scripts
+$ ./configure --prefix=/usr
+$ make
+$ sudo make install
+
+-o-
+(c) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>