|
Packit |
04dc98 |
= cttimeout: timeout policy tuning for Netfilter/conntrack =
|
|
Packit |
04dc98 |
|
|
Packit |
04dc98 |
This infrastructure allows you to define fine-grain timeout
|
|
Packit |
04dc98 |
policies per flow. Basically, from user-space, you can create
|
|
Packit |
04dc98 |
timeout policy objects via nfct_timeout_alloc(), set the
|
|
Packit |
04dc98 |
policy attributes, via nfct_timeout_*_attr_set(), and then
|
|
Packit |
04dc98 |
build the ctnetlink message to communicate this new timeout
|
|
Packit |
04dc98 |
policy to the kernel.
|
|
Packit |
04dc98 |
|
|
Packit |
04dc98 |
ctnetlink keeps a list of existing policies that are identified
|
|
Packit |
04dc98 |
by one name. Timeout policies can be attached to flows via the
|
|
Packit |
04dc98 |
iptables CT target.
|
|
Packit |
04dc98 |
|
|
Packit |
04dc98 |
This is useful in case you want to reduce the timeout of TCP
|
|
Packit |
04dc98 |
Established state to 3000 seconds instead of default 432000
|
|
Packit |
04dc98 |
seconds for certain flows. The infrastructure allows fine
|
|
Packit |
04dc98 |
tuning of all existing protocol trackers and even modifying
|
|
Packit |
04dc98 |
the timeout for several states for one given protocol.
|
|
Packit |
04dc98 |
|
|
Packit |
04dc98 |
This new infrastructure uses libmnl, thus, libnetfilter_conntrack
|
|
Packit |
04dc98 |
remains in intermediate state, meaning that it depends on
|
|
Packit |
04dc98 |
libnfnetlink and libmnl. This should not be a problem since
|
|
Packit |
04dc98 |
we'll require this dual support during the transition to the
|
|
Packit |
04dc98 |
new libnetfilter_conntrack API.
|
|
Packit |
04dc98 |
|
|
Packit |
04dc98 |
Under examples/ directory, you can find examples on how to
|
|
Packit |
04dc98 |
create new timeout policies, delete them and to retrieve the
|
|
Packit |
04dc98 |
existing list of policies.
|
|
Packit |
04dc98 |
|
|
Packit |
04dc98 |
1) You can create one dummy timeout policy:
|
|
Packit |
04dc98 |
examples# ./nfct-timeout-add test 2 6
|
|
Packit |
04dc98 |
|
|
Packit |
04dc98 |
2) You can retrieve the policy that is known by `test':
|
|
Packit |
04dc98 |
|
|
Packit |
04dc98 |
examples# ./nfct-timeout-get test
|
|
Packit |
04dc98 |
.test = {
|
|
Packit |
04dc98 |
.l3proto = 2,
|
|
Packit |
04dc98 |
.l4proto = 6,
|
|
Packit |
04dc98 |
.policy = {
|
|
Packit |
04dc98 |
.SYN_SENT = 100,
|
|
Packit |
04dc98 |
.SYN_RECV = 120,
|
|
Packit |
04dc98 |
.ESTABLISHED = 60,
|
|
Packit |
04dc98 |
.FIN_WAIT = 432000,
|
|
Packit |
04dc98 |
.CLOSE_WAIT = 120,
|
|
Packit |
04dc98 |
.LAST_ACK = 60,
|
|
Packit |
04dc98 |
.TIME_WAIT = 30,
|
|
Packit |
04dc98 |
.CLOSE = 120,
|
|
Packit |
04dc98 |
.SYN_SENT2 = 10,
|
|
Packit |
04dc98 |
},
|
|
Packit |
04dc98 |
};
|
|
Packit |
04dc98 |
|
|
Packit |
04dc98 |
3) You may want to retrieve all timeout policies:
|
|
Packit |
04dc98 |
|
|
Packit |
04dc98 |
examples# ./nfct-timeout-get
|
|
Packit |
04dc98 |
|
|
Packit |
04dc98 |
The kernel-space part is planned to be available since Linux
|
|
Packit |
04dc98 |
kernel >= 3.4.0.
|