1= cttimeout: timeout policy tuning for Netfilter/conntrack = 2 3This infrastructure allows you to define fine-grain timeout 4policies per flow. Basically, from user-space, you can create 5timeout policy objects via nfct_timeout_alloc(), set the 6policy attributes, via nfct_timeout_*_attr_set(), and then 7build the ctnetlink message to communicate this new timeout 8policy to the kernel. 9 10ctnetlink keeps a list of existing policies that are identified 11by one name. Timeout policies can be attached to flows via the 12iptables CT target. 13 14This is useful in case you want to reduce the timeout of TCP 15Established state to 3000 seconds instead of default 432000 16seconds for certain flows. The infrastructure allows fine 17tuning of all existing protocol trackers and even modifying 18the timeout for several states for one given protocol. 19 20This new infrastructure uses libmnl, thus, libnetfilter_conntrack 21remains in intermediate state, meaning that it depends on 22libnfnetlink and libmnl. This should not be a problem since 23we'll require this dual support during the transition to the 24new libnetfilter_conntrack API. 25 26Under examples/ directory, you can find examples on how to 27create new timeout policies, delete them and to retrieve the 28existing list of policies. 29 301) You can create one dummy timeout policy: 31examples# ./nfct-timeout-add test 2 6 32 332) You can retrieve the policy that is known by `test': 34 35examples# ./nfct-timeout-get test 36.test = { 37 .l3proto = 2, 38 .l4proto = 6, 39 .policy = { 40 .SYN_SENT = 100, 41 .SYN_RECV = 120, 42 .ESTABLISHED = 60, 43 .FIN_WAIT = 432000, 44 .CLOSE_WAIT = 120, 45 .LAST_ACK = 60, 46 .TIME_WAIT = 30, 47 .CLOSE = 120, 48 .SYN_SENT2 = 10, 49 }, 50}; 51 523) You may want to retrieve all timeout policies: 53 54examples# ./nfct-timeout-get 55 56The kernel-space part is planned to be available since Linux 57kernel >= 3.4.0. 58