Skip to content

formorer/pkg-conntrack-tools

Repository files navigation

= nfct: command line tool to interact with the Connection Tracking System =

This tool only supports the cttimeout infrastructure by now. However,
the plan is that it will replace `conntrack' with a syntax that looks
more similar to `ip' and `nftables' tools (in the long run!).

== cttimeout: fine-grain timeout tuning for the Connection Tracking System ==

The `nfct' command line tool allows you to define custom timeout
policies:

# nfct add timeout custom-tcp-policy1 inet tcp established 100

You can also retrieve the existing timeout policies with:

# nfct list timeout
.tcp-policy = {
        .l3proto = 2,
        .l4proto = 6,
        .policy = {
                .SYN_SENT = 120,
                .SYN_RECV = 60,
                .ESTABLISHED = 100,
                .FIN_WAIT = 120,
                .CLOSE_WAIT = 60,
                .LAST_ACK = 30,
                .TIME_WAIT = 120,
                .CLOSE = 10,
                .SYN_SENT2 = 120,
                .RETRANS = 300,
                .UNACKNOWLEDGED = 300,
        },
};

Then, you can use the timeout policy with iptables:

# iptables -I PREROUTING -t raw -s 1.1.1.1 -d 2.2.2.2 -p tcp \
	-j CT --timeout custom-tcp-policy1

You can define policies for other protocols as well, eg:

# nfct add timeout custom-udp-policy1 inet udp unreplied 10 replied 20

And attach them via iptables:

# iptables -I PREROUTING -t raw -s 1.1.1.1 -d 2.2.2.2 -p udp \
	-j CT --timeout custom-udp-policy1

== Compilation & Installation ==

This tool requires libmnl and libnetfilter_cttimeout. You also require
nfnetlink_cttimeout support in the Linux kernel.

If you obtain a working copy from git, you have to run:

$ autoreconf -fi # this is the lingo that replaces old autogen.sh scripts
$ ./configure --prefix=/usr
$ make
$ sudo make install

-o-
(c) 2012 by Pablo Neira Ayuso <[email protected]>