vyos-legacy / libnetfilter-cttimeout Goto Github PK

= cttimeout: timeout policy tuning for Netfilter/conntrack =

This infrastructure allows you to define fine-grain timeout
policies per flow. Basically, from user-space, you can create
timeout policy objects via nfct_timeout_alloc(), set the
policy attributes, via nfct_timeout_*_attr_set(), and then
build the ctnetlink message to communicate this new timeout
policy to the kernel.

ctnetlink keeps a list of existing policies that are identified
by one name. Timeout policies can be attached to flows via the
iptables CT target.

This is useful in case you want to reduce the timeout of TCP
Established state to 3000 seconds instead of default 432000
seconds for certain flows. The infrastructure allows fine
tuning of all existing protocol trackers and even modifying
the timeout for several states for one given protocol.

This new infrastructure uses libmnl, thus, libnetfilter_conntrack
remains in intermediate state, meaning that it depends on
libnfnetlink and libmnl. This should not be a problem since
we'll require this dual support during the transition to the
new libnetfilter_conntrack API.

Under examples/ directory, you can find examples on how to
create new timeout policies, delete them and to retrieve the
existing list of policies.

1) You can create one dummy timeout policy:
examples# ./nfct-timeout-add test 2 6

2) You can retrieve the policy that is known by `test':

examples# ./nfct-timeout-get test
.test = {
        .l3proto = 2,
        .l4proto = 6,
        .policy = {
                .SYN_SENT = 100,
                .SYN_RECV = 120,
                .ESTABLISHED = 60,
                .FIN_WAIT = 432000,
                .CLOSE_WAIT = 120,
                .LAST_ACK = 60,
                .TIME_WAIT = 30,
                .CLOSE = 120,
                .SYN_SENT2 = 10,
        },
};

3) You may want to retrieve all timeout policies:

examples# ./nfct-timeout-get

The kernel-space part is planned to be available since Linux
kernel >= 3.4.0.