NFCT
Section: (8)
Updated: Feb 29, 2012
Index
Return to Main Contents
NAME
nfct - command line tool to interact with the connection tracking system
SYNOPSIS
nfct subsystem command [parameters]
DESCRIPTION
nfct
is the command line tool that allows you Netfilter's manipulate Connection Tracking System.
SUBSYS
By the time this manpage has been written, the only supported subsystem is
timeout
- timeout
-
The timeout subsystem allows you to define fine-grain timeout policies.
- version
-
Displays the version information.
- help
-
Displays the help message.
TIMEOUT SUBSYSTEM
- list
-
List the existing timeout policies.
- add
-
Add new timeout policy.
- delete
-
Delete timeout policy.
- get
-
Get existing timeout policy.
EXAMPLE
- nfct timeout add test-tcp inet tcp established 100 close 10 close_wait 10
-
- This creates a timeout policy for tcp using 100 seconds for the ESTABLISHED state, 10 seconds for CLOSE state and 10 seconds for the CLOSE_WAIT state.
-
- Then, you can attach the timeout policy with the iptables CT target:
-
- iptables -I PREROUTING -t raw -p tcp -j CT --timeout test-tcp
-
- iptables -I OUTPUT -t raw -p tcp -j CT --timeout test-tcp
-
- You can test that the timeout policy with:
-
- conntrack -E -p tcp
-
- It should display:
-
- [UPDATE] tcp 6 100 ESTABLISHED src=192.168.39.100 dst=57.126.1.20 sport=56463 dport=80 src=57.126.1.20 dst=192.168.39.100 sport=80 dport=56463 [ASSURED]
-
SEE ALSO
iptables(8),conntrack(8)
BUGS
Please, report them to netfilter-devel@vger.kernel.org or file a bug in
Netfilter's bugzilla (https://bugzilla.netfilter.org).
AUTHORS
Pablo Neira Ayuso wrote and maintains the nfct tool.
Man page written by Pablo Neira Ayuso <pablo@netfilter.org>.
Index
- NAME
-
- SYNOPSIS
-
- DESCRIPTION
-
- SUBSYS
-
- TIMEOUT SUBSYSTEM
-
- EXAMPLE
-
- SEE ALSO
-
- BUGS
-
- AUTHORS
-
This document was created by
man2html,
using the manual pages.
Time: 23:30:05 GMT, April 12, 2012