24de58f465
This patch allows you to attach the timeout policy via the CT target, it adds a new revision of the target to ensure backward compatibility. Moreover, it also contains the glue code to stick the timeout object defined via nfnetlink_cttimeout to the given flow. Example usage (it requires installing the nfct tool and libnetfilter_cttimeout): 1) create the timeout policy: nfct timeout add tcp-policy0 inet tcp \ established 1000 close 10 time_wait 10 last_ack 10 2) attach the timeout policy to the packet: iptables -I PREROUTING -t raw -p tcp -j CT --timeout tcp-policy0 You have to install the following user-space software: a) libnetfilter_cttimeout: git://git.netfilter.org/libnetfilter_cttimeout b) nfct: git://git.netfilter.org/nfct You also have to get iptables with -j CT --timeout support. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
32 lines
532 B
C
32 lines
532 B
C
#ifndef _XT_CT_H
|
|
#define _XT_CT_H
|
|
|
|
#include <linux/types.h>
|
|
|
|
#define XT_CT_NOTRACK 0x1
|
|
|
|
struct xt_ct_target_info {
|
|
__u16 flags;
|
|
__u16 zone;
|
|
__u32 ct_events;
|
|
__u32 exp_events;
|
|
char helper[16];
|
|
|
|
/* Used internally by the kernel */
|
|
struct nf_conn *ct __attribute__((aligned(8)));
|
|
};
|
|
|
|
struct xt_ct_target_info_v1 {
|
|
__u16 flags;
|
|
__u16 zone;
|
|
__u32 ct_events;
|
|
__u32 exp_events;
|
|
char helper[16];
|
|
char timeout[32];
|
|
|
|
/* Used internally by the kernel */
|
|
struct nf_conn *ct __attribute__((aligned(8)));
|
|
};
|
|
|
|
#endif /* _XT_CT_H */
|