source-git / nftables

Clone
Source Code
GIT

Blame doc/stateful-objects.txt

c8 c8s master
  1.   58bdb0a24b28ad29de54623df4413ec0686988da
  2.   doc
  3.   stateful-objects.txt
Blob History Raw
Packit c5a612 
CT HELPER
Packit c5a612 
~~~~~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*ct helper* 'helper' *{ type* 'type' *protocol* 'protocol' *;* [*l3proto* 'family' *;*] *}*
Packit c5a612
Packit c5a612 
Ct helper is used to define connection tracking helpers that can then be used in
Packit c5a612 
combination with the *ct helper set* statement. 'type' and 'protocol' are
Packit c5a612 
mandatory, l3proto is derived from the table family by default, i.e. in the inet
Packit c5a612 
table the kernel will try to load both the ipv4 and ipv6 helper backends, if
Packit c5a612 
they are supported by the kernel.
Packit c5a612
Packit c5a612 
.conntrack helper specifications
Packit c5a612 
[options="header"]
Packit c5a612 
|=================
Packit c5a612 
|Keyword | Description | Type
Packit c5a612 
| type |
Packit c5a612 
name of helper type |
Packit c5a612 
quoted string (e.g. "ftp")
Packit c5a612 
|protocol |
Packit c5a612 
layer 4 protocol of the helper |
Packit c5a612 
string (e.g. ip)
Packit c5a612 
|l3proto |
Packit c5a612 
layer 3 protocol of the helper |
Packit c5a612 
address family (e.g. ip)
Packit c5a612 
|=================
Packit c5a612
Packit c5a612 
.defining and assigning ftp helper
Packit c5a612 
----------------------------------
Packit c5a612 
Unlike iptables, helper assignment needs to be performed after the conntrack
Packit c5a612 
lookup has completed, for example with the default 0 hook priority.
Packit c5a612
Packit c5a612 
table inet myhelpers {
Packit c5a612 
  ct helper ftp-standard {
Packit c5a612 
     type "ftp" protocol tcp
Packit c5a612 
  }
Packit c5a612 
  chain prerouting {
Packit c5a612 
      type filter hook prerouting priority 0;
Packit c5a612 
      tcp dport 21 ct helper set "ftp-standard"
Packit c5a612 
  }
Packit c5a612 
}
Packit c5a612 
----------------------------------
Packit c5a612
Packit c5a612 
CT TIMEOUT
Packit c5a612 
~~~~~~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*ct timeout* 'name' *{ protocol* 'protocol' *; policy = {* 'state'*:* 'value' [*,* ...] *} ;* [*l3proto* 'family' *;*] *}*
Packit c5a612
Packit c5a612 
Ct timeout is used to update connection tracking timeout values.Timeout policies are assigned
Packit c5a612 
with the *ct timeout set* statement. 'protocol' and 'policy' are
Packit c5a612 
  mandatory, l3proto is derived from the table family by default.
Packit c5a612
Packit c5a612 
.conntrack timeout specifications
Packit c5a612 
[options="header"]
Packit c5a612 
|=================
Packit c5a612 
|Keyword | Description | Type
Packit c5a612 
| protocol |
Packit c5a612 
layer 4 protocol of the timeout object |
Packit c5a612 
string (e.g. ip)
Packit c5a612 
|state |
Packit c5a612 
connection state name |
Packit c5a612 
string (e.g. "established")
Packit c5a612 
|value |
Packit c5a612 
timeout value for connection state |
Packit c5a612 
unsigned integer
Packit c5a612 
|l3proto |
Packit c5a612 
layer 3 protocol of the timeout object |
Packit c5a612 
address family (e.g. ip)
Packit c5a612 
|=================
Packit c5a612
Packit c5a612 
.defining and assigning ct timeout policy
Packit c5a612 
----------------------------------
Packit c5a612 
table ip filter {
Packit c5a612 
	ct timeout customtimeout {
Packit c5a612 
		protocol tcp;
Packit c5a612 
		l3proto ip
Packit c5a612 
		policy = { established: 120, close: 20 }
Packit c5a612 
	}
Packit c5a612
Packit c5a612 
	chain output {
Packit c5a612 
		type filter hook output priority filter; policy accept;
Packit c5a612 
		ct timeout set "customtimeout"
Packit c5a612 
	}
Packit c5a612 
}
Packit c5a612 
----------------------------------
Packit c5a612
Packit c5a612 
.testing the updated timeout policy
Packit c5a612 
----------------------------------
Packit c5a612
Packit c5a612 
% conntrack -E
Packit c5a612
Packit c5a612 
It should display:
Packit c5a612
Packit c5a612 
[UPDATE] tcp      6 120 ESTABLISHED src=172.16.19.128 dst=172.16.19.1
Packit c5a612 
sport=22 dport=41360 [UNREPLIED] src=172.16.19.1 dst=172.16.19.128
Packit c5a612 
sport=41360 dport=22
Packit c5a612 
----------------------------------
Packit c5a612
Packit c5a612 
CT EXPECTATION
Packit c5a612 
~~~~~~~~~~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*ct expectation* 'name' *{ protocol* 'protocol' *; dport* 'dport' *; timeout* 'timeout' *; size* 'size' *; [*l3proto* 'family' *;*] *}*
Packit c5a612
Packit c5a612 
Ct expectation is used to create connection expectations. Expectations are
Packit c5a612 
assigned with the *ct expectation set* statement. 'protocol', 'dport',
Packit c5a612 
'timeout' and 'size' are mandatory, l3proto is derived from the table family
Packit c5a612 
by default.
Packit c5a612
Packit c5a612 
.conntrack expectation specifications
Packit c5a612 
[options="header"]
Packit c5a612 
|=================
Packit c5a612 
|Keyword | Description | Type
Packit c5a612 
|protocol |
Packit c5a612 
layer 4 protocol of the expectation object |
Packit c5a612 
string (e.g. ip)
Packit c5a612 
|dport |
Packit c5a612 
destination port of expected connection |
Packit c5a612 
unsigned integer
Packit c5a612 
|timeout |
Packit c5a612 
timeout value for expectation |
Packit c5a612 
unsigned integer
Packit c5a612 
|size |
Packit c5a612 
size value for expectation |
Packit c5a612 
unsigned integer
Packit c5a612 
|l3proto |
Packit c5a612 
layer 3 protocol of the expectation object |
Packit c5a612 
address family (e.g. ip)
Packit c5a612 
|=================
Packit c5a612
Packit c5a612 
.defining and assigning ct expectation policy
Packit c5a612 
---------------------------------------------
Packit c5a612 
table ip filter {
Packit c5a612 
	ct expectation expect {
Packit c5a612 
		protocol udp
Packit c5a612 
		dport 9876
Packit c5a612 
		timeout 2m
Packit c5a612 
		size 8
Packit c5a612 
		l3proto ip
Packit c5a612 
	}
Packit c5a612
Packit c5a612 
	chain input {
Packit c5a612 
		type filter hook input priority filter; policy accept;
Packit c5a612 
		ct expectation set "expect"
Packit c5a612 
	}
Packit c5a612 
}
Packit c5a612 
----------------------------------
Packit c5a612
Packit c5a612 
COUNTER
Packit c5a612 
~~~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*counter* ['packets bytes']
Packit c5a612
Packit c5a612 
.Counter specifications
Packit c5a612 
[options="header"]
Packit c5a612 
|=================
Packit c5a612 
|Keyword | Description | Type
Packit c5a612 
|packets |
Packit c5a612 
initial count of packets |
Packit c5a612 
unsigned integer (64 bit)
Packit c5a612 
|bytes |
Packit c5a612 
initial count of bytes |
Packit c5a612 
unsigned integer (64 bit)
Packit c5a612 
|=================
Packit c5a612
Packit c5a612 
QUOTA
Packit c5a612 
~~~~~
Packit c5a612 
[verse]
Packit c5a612 
*quota* [*over* | *until*] ['used']
Packit c5a612
Packit c5a612 
.Quota specifications
Packit c5a612 
[options="header"]
Packit c5a612 
|=================
Packit c5a612 
|Keyword | Description | Type
Packit c5a612 
|quota |
Packit c5a612 
quota limit, used as the quota name |
Packit c5a612 
Two arguments, unsigned integer (64 bit) and string: bytes, kbytes, mbytes.
Packit c5a612 
"over" and "until" go before these arguments
Packit c5a612 
|used |
Packit c5a612 
initial value of used quota |
Packit c5a612 
Two arguments, unsigned integer (64 bit) and string: bytes, kbytes, mbytes
Packit c5a612 
|=================

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation