1NFCT(8)                                                                NFCT(8)
2
3
4

NAME

6       nfct - command line tool to configure with the connection tracking sys‐
7       tem
8

SYNOPSIS

10       nfct command subsystem [parameters]
11

DESCRIPTION

13       nfct is the command line tool that allows to configure  the  Connection
14       Tracking System.
15

COMMANDS

17       list   List the existing objects.
18
19       add    Add new object.
20
21       delete Delete an object.
22
23       get    Get an existing object.
24
25       flush  Flush the accounting object table.
26
27       disable
28              This  command is for the helper subsystem. It allows you to dis‐
29              able enqueueing packets to userspace for helper inspection.
30
31       default-set
32              This command is for the timeout subsystem. It allows you to  set
33              default protocol timeouts.
34
35       default-get
36              This  command is for the timeout subsystem. It allows you to get
37              the default protocol timeouts.
38

SUBSYS

40       By the time this manpage has been written, the supported subsystems are
41       timeout and helper.
42
43       timeout
44              The  timeout  subsystem  allows you to define fine-grain timeout
45              policies.
46
47       helper The helper subsystem allows you to configure userspace helpers.
48
49       version
50              Displays the version information.
51
52       help   Displays the help message.
53

EXAMPLE

55       nfct add timeout test-tcp inet tcp established 100 close 10  close_wait
56       10
57
58       This  creates a timeout policy for tcp using 100 seconds for the ESTAB‐
59       LISHED state, 10 seconds  for  CLOSE  state  and  10  seconds  for  the
60       CLOSE_WAIT state.
61
62       Then, you can attach the timeout policy with the iptables CT target:
63
64       iptables -I PREROUTING -t raw -p tcp -j CT --timeout test-tcp
65
66       iptables -I OUTPUT -t raw -p tcp -j CT --timeout test-tcp
67
68       You can test that the timeout policy with:
69
70       conntrack -E -p tcp
71
72       It should display:
73
74       [UPDATE]  tcp  6  100  ESTABLISHED  src=192.168.39.100  dst=57.126.1.20
75       sport=56463  dport=80   src=57.126.1.20   dst=192.168.39.100   sport=80
76       dport=56463 [ASSURED]
77

SEE ALSO

79       iptables(8),conntrack(8)
80

BUGS

82       Please, report them to netfilter-devel@vger.kernel.org or file a bug in
83       Netfilter's bugzilla (https://bugzilla.netfilter.org).
84

AUTHORS

86       Pablo Neira Ayuso wrote and maintains the nfct tool.
87
88       Man page written by Pablo Neira Ayuso <pablo@netfilter.org>.
89
90
91
92                                 Feb 29, 2012                          NFCT(8)
Impressum