From 969d93f14fffadb5cae67a7662484c1e064bbff1 Mon Sep 17 00:00:00 2001
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Tue, 15 May 2012 14:31:35 +0200
Subject: conntrackd: RPC helper added to cthelper

How to use this helper in a few steps:

1) You can enable this helper via:

 nfct helper add rpc inet tcp
 nfct helper add rpc inet udp

2) Configure /etc/conntrackd/conntrackd.conf and launch it.

3) You can test this helper locally with the following rule-set:

 iptables -A OUTPUT -t raw -p udp -m udp --dport 111 -j CT --helper rpc
 iptables -A OUTPUT -t raw -p tcp -m tcp --dport 111 -j CT --helper rpc
 iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 111 -j ACCEPT
 iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 111 -j ACCEPT
 iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -P OUTPUT DROP

4) Configure NFS and export some local directory. Then, mount it with version 3.

 mount.nfs -onfsvers=3 127.0.0.1:/srv/cvs /mnt/

You should see permanent expectations created for this.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 doc/helper/conntrackd.conf | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'doc')

diff --git a/doc/helper/conntrackd.conf b/doc/helper/conntrackd.conf
index 711b309..2bf99fa 100644
--- a/doc/helper/conntrackd.conf
+++ b/doc/helper/conntrackd.conf
@@ -28,6 +28,20 @@ Helper {
 			ExpectTimeout 300
 		}
 	}
+	Type rpc inet tcp {
+		QueueNum 1
+		Policy rpc {
+			ExpectMax 1
+			ExpectTimeout 300
+		}
+	}
+	Type rpc inet udp {
+		QueueNum 2
+		Policy rpc {
+			ExpectMax 1
+			ExpectTimeout 300
+		}
+	}
 }
 
 #
-- 
cgit v1.2.3