Re: [RFC] Per-conntrack timeout target

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Phil Oester wrote:
I use a fairly short 2 hour established timeout on firewalls I operate,
which works fine for most purposes.  Occasionally, however, it would
be nice to have a longer timeout for *certain* types of traffic
such as SSH or telnet sessions.
So, below find a TIMEOUT target to enable such per-conntrack timeouts.
Syntax for SSH would be something like:

        iptables -A foo -p tcp --dport 22 -j TIMEOUT --timeout 123456
        iptables -A foo -p tcp --dport 22 -j ACCEPT

It could of course also be used to lower the timeouts on some traffic,
such as HTTP.

Please review, comment, criticize, etc.  Note that at present it only
handles TCP/UDP traffic.  If deemed "merge-worthy", support for other
protos will be added.


The only downside I see is that it adds another 4 bytes to the conntrack
structure and distributions are probably going to enable it, like
everything else. It would be nice if we could put this in a ct_extend
structure, but that would mean you're only able to set it for new
connections. What do you think about this?
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux