NAME¶
nfct - command line tool to interact with the connection tracking system
SYNOPSIS¶
nfct subsystem command [parameters]
DESCRIPTION¶
nfct is the command line tool that allows you Netfilter's manipulate
Connection Tracking System.
SUBSYS¶
By the time this manpage has been written, the supported subsystem are
timeout
- timeout
- The timeout subsystem allows you to define fine-grain timeout
policies.
- version
- Displays the version information.
- help
- Displays the help message.
TIMEOUT SUBSYSTEM¶
- list
- List the existing timeout policies.
- add
- Add new timeout policy.
- delete
- Delete timeout policy.
- get
- Get existing timeout policy.
EXAMPLE¶
- nfct timeout add test-tcp inet tcp established 100 close 10 close_wait
10
- This creates a timeout policy for tcp using 100 seconds for the
ESTABLISHED state, 10 seconds for CLOSE state and 10 seconds for the
CLOSE_WAIT state.
- Then, you can attach the timeout policy with the iptables CT target:
- iptables -I PREROUTING -t raw -p tcp -j CT --timeout test-tcp
- iptables -I OUTPUT -t raw -p tcp -j CT --timeout test-tcp
- You can test that the timeout policy with:
- conntrack -E -p tcp
- It should display:
- [UPDATE] tcp 6 100 ESTABLISHED src=192.168.39.100 dst=57.126.1.20
sport=56463 dport=80 src=57.126.1.20 dst=192.168.39.100 sport=80 dport=56463
[ASSURED]
SEE ALSO¶
iptables(8),
conntrack(8)
BUGS¶
Please, report them to netfilter-devel@vger.kernel.org or file a bug in
Netfilter's bugzilla (
https://bugzilla.netfilter.org).
AUTHORS¶
Pablo Neira Ayuso wrote and maintains the nfct tool.
Man page written by Pablo Neira Ayuso <pablo@netfilter.org>.
