nfct: timeout: add support for default protocol timeout tuning

This new interface supersedes the /proc interface:

/proc/sys/net/netfilter/nf_conntrack_PROTO_STATE_timeout

to tune default conntrack timeout helpers.

 # nfct timeout default-get inet tcp
         .l3proto = 2,
         .l4proto = 6,
         .policy = {
                 .SYN_SENT = 120,
                 .SYN_RECV = 60,
                 .ESTABLISHED = 432000,
                 .FIN_WAIT = 120,
                 .CLOSE_WAIT = 60,
                 .LAST_ACK = 30,
                 .TIME_WAIT = 120,
                 .CLOSE = 10,
                 .SYN_SENT2 = 120,
                 .RETRANS = 300,
                 .UNACKNOWLEDGED = 300,
         },
 };

 # nfct timeout default-set inet tcp ESTABLISHED 100

As replacement for the existing /proc interfaces for timeout tweaking.
This feature requires a Linux kernel >= 3.13.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

2 files changed, 4 insertions, 0 deletions

diff --git a/include/linux/netfilter/nfnetlink_cttimeout.h b/include/linux/netfilter/nfnetlink_cttimeout.h
index a2810a7..1ab0b97 100644
--- a/include/linux/netfilter/nfnetlink_cttimeout.h
+++ b/include/linux/netfilter/nfnetlink_cttimeout.h
@@ -6,6 +6,8 @@ enum ctnl_timeout_msg_types {
 	IPCTNL_MSG_TIMEOUT_NEW,
 	IPCTNL_MSG_TIMEOUT_GET,
 	IPCTNL_MSG_TIMEOUT_DELETE,
+	IPCTNL_MSG_TIMEOUT_DEFAULT_SET,
+	IPCTNL_MSG_TIMEOUT_DEFAULT_GET,
 
 	IPCTNL_MSG_TIMEOUT_MAX
 };
diff --git a/include/nfct.h b/include/nfct.h
index 682fe3a..dc103c6 100644
--- a/include/nfct.h
+++ b/include/nfct.h
@@ -19,6 +19,8 @@ enum {
 	NFCT_CMD_GET,
 	NFCT_CMD_FLUSH,
 	NFCT_CMD_DISABLE,
+	NFCT_CMD_DEFAULT_SET,
+	NFCT_CMD_DEFAULT_GET,
 };
 
 #define __init __attribute__((constructor))