diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-10-01 13:28:11 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-05-13 15:53:28 +0200 |
| commit | 1ecda7339e8678c0b4debe7003b4a42791ad478e (patch) | |
| tree | e82b9ad7ea4e0dc05f37bb6c90fbf17c3d2ffefb /src | |
| parent | 34a8e200eee54b4bbecadf52bba8901cae129795 (diff) | |
| download | conntrack-tools-1ecda7339e8678c0b4debe7003b4a42791ad478e.tar.gz conntrack-tools-1ecda7339e8678c0b4debe7003b4a42791ad478e.zip | |
nfct: timeout: add support for default protocol timeout tuning
This new interface supersedes the /proc interface:
/proc/sys/net/netfilter/nf_conntrack_PROTO_STATE_timeout
to tune default conntrack timeout helpers.
# nfct timeout default-get inet tcp
.l3proto = 2,
.l4proto = 6,
.policy = {
.SYN_SENT = 120,
.SYN_RECV = 60,
.ESTABLISHED = 432000,
.FIN_WAIT = 120,
.CLOSE_WAIT = 60,
.LAST_ACK = 30,
.TIME_WAIT = 120,
.CLOSE = 10,
.SYN_SENT2 = 120,
.RETRANS = 300,
.UNACKNOWLEDGED = 300,
},
};
# nfct timeout default-set inet tcp ESTABLISHED 100
As replacement for the existing /proc interfaces for timeout tweaking.
This feature requires a Linux kernel >= 3.13.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/nfct-extensions/timeout.c | 106 |
1 files changed, 104 insertions, 2 deletions
diff --git a/src/nfct-extensions/timeout.c b/src/nfct-extensions/timeout.c index 9f74eca..c9aa386 100644 --- a/src/nfct-extensions/timeout.c +++ b/src/nfct-extensions/timeout.c @@ -32,8 +32,8 @@ static void nfct_cmd_timeout_usage(char *argv[]) { fprintf(stderr, "nfct v%s: Missing command\n" - "%s timeout list|add|delete|get|flush " - "[parameters...]\n", VERSION, argv[0]); + "%s timeout <list|add|delete|get|flush|set> " + "[<parameters>, ...]\n", VERSION, argv[0]); } static int nfct_cmd_timeout_list(struct mnl_socket *nl, int argc, char *argv[]); @@ -41,6 +41,8 @@ static int nfct_cmd_timeout_add(struct mnl_socket *nl, int argc, char *argv[]); static int nfct_cmd_timeout_delete(struct mnl_socket *nl, int argc, char *argv[]); static int nfct_cmd_timeout_get(struct mnl_socket *nl, int argc, char *argv[]); static int nfct_cmd_timeout_flush(struct mnl_socket *nl, int argc, char *argv[]); +static int nfct_cmd_timeout_default_set(struct mnl_socket *nl, int argc, char *argv[]); +static int nfct_cmd_timeout_default_get(struct mnl_socket *nl, int argc, char *argv[]); static int nfct_cmd_timeout_parse_params(struct mnl_socket *nl, int argc, char *argv[]) @@ -61,6 +63,10 @@ nfct_cmd_timeout_parse_params(struct mnl_socket *nl, int argc, char *argv[]) cmd = NFCT_CMD_GET; else if (strncmp(argv[2], "flush", strlen(argv[2])) == 0) cmd = NFCT_CMD_FLUSH; + else if (strncmp(argv[2], "default-set", strlen(argv[2])) == 0) + cmd = NFCT_CMD_DEFAULT_SET; + else if (strncmp(argv[2], "default-get", strlen(argv[2])) == 0) + cmd = NFCT_CMD_DEFAULT_GET; else { fprintf(stderr, "nfct v%s: Unknown command: %s\n", VERSION, argv[2]); @@ -83,6 +89,12 @@ nfct_cmd_timeout_parse_params(struct mnl_socket *nl, int argc, char *argv[]) case NFCT_CMD_FLUSH: ret = nfct_cmd_timeout_flush(nl, argc, argv); break; + case NFCT_CMD_DEFAULT_SET: + ret = nfct_cmd_timeout_default_set(nl, argc, argv); + break; + case NFCT_CMD_DEFAULT_GET: + ret = nfct_cmd_timeout_default_get(nl, argc, argv); + break; } return ret; @@ -393,6 +405,96 @@ int nfct_cmd_timeout_flush(struct mnl_socket *nl, int argc, char *argv[]) return 0; } +static int +nfct_cmd_timeout_default_set(struct mnl_socket *nl, int argc, char *argv[]) +{ + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq; + struct nfct_timeout *t; + + if (argc < 6) { + nfct_perror("missing parameters\n" + "syntax: nfct timeout default-set " + "family protocol state1 " + "timeout1 state2 timeout2..."); + return -1; + } + + t = nfct_timeout_alloc(); + if (t == NULL) + return -1; + + if (nfct_cmd_timeout_parse(t, argc-3, &argv[3]) < 0) + return -1; + + seq = time(NULL); + nlh = nfct_timeout_nlmsg_build_hdr(buf, IPCTNL_MSG_TIMEOUT_DEFAULT_SET, + NLM_F_ACK, seq); + nfct_timeout_nlmsg_build_payload(nlh, t); + nfct_timeout_free(t); + + portid = mnl_socket_get_portid(nl); + if (nfct_mnl_talk(nl, nlh, seq, portid, nfct_timeout_cb, NULL) < 0) { + nfct_perror("netlink error"); + return -1; + } + + return 0; +} + +static int +nfct_cmd_timeout_default_get(struct mnl_socket *nl, int argc, char *argv[]) +{ + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq; + struct nfct_timeout *t; + int l3proto, l4proto; + + if (argc < 5) { + nfct_perror("missing parameters\n" + "syntax: nfct timeout default-get " + "family protocol"); + return -1; + } + + t = nfct_timeout_alloc(); + if (t == NULL) + return -1; + + argc-=3; + argv+=3; + + l3proto = nfct_cmd_get_l3proto(argv); + if (l3proto < 0) + return -1; + + nfct_timeout_attr_set_u16(t, NFCT_TIMEOUT_ATTR_L3PROTO, l3proto); + argc--; + argv++; + + l4proto = nfct_cmd_get_l4proto(argv); + if (l4proto < 0) + return -1; + + nfct_timeout_attr_set_u8(t, NFCT_TIMEOUT_ATTR_L4PROTO, l4proto); + + seq = time(NULL); + nlh = nfct_timeout_nlmsg_build_hdr(buf, IPCTNL_MSG_TIMEOUT_DEFAULT_GET, + NLM_F_ACK, seq); + nfct_timeout_nlmsg_build_payload(nlh, t); + nfct_timeout_free(t); + + portid = mnl_socket_get_portid(nl); + if (nfct_mnl_talk(nl, nlh, seq, portid, nfct_timeout_cb, NULL) < 0) { + nfct_perror("netlink error"); + return -1; + } + + return 0; +} + static struct nfct_extension timeout = { .type = NFCT_SUBSYS_TIMEOUT, .parse_params = nfct_cmd_timeout_parse_params, |