On 09/01/2016 06:59 AM, Pablo Neira Ayuso wrote:
Setting custom timeout policies per address/protocol/port (any selector basically) is possible through -j CT --timeout name from the raw table. You have to create the timeout policy in first place through 'nfct' that comes in the conntrack-tools package. I think there are examples for this already, otherwise let me know and we can place it on the manpage.
There is a TCP example on the nfct manpage but it would be helpful if it listed what timeouts are possible to set for each protocol (syn_sent, time_wait, etc.) corresponding to ip_conntrack_[proto]_timeout_[state] in net.ipv4.netfilter. Especially how to set the timeout corresponding to ip_conntrack_udp_timeout since it doesn't follow the pattern.
FWIW it would also be useful (in another context) if there was a stable way to set these values for a specific conntrack entry.
-- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
