On 12/15/2016 03:53 PM, Pablo Neira Ayuso wrote:
On Thu, Dec 15, 2016 at 01:46:46PM -0500, zrm wrote:
The nfct command allows creating a custom timeout policy. The man page
describes how to attach the timeout policy using iptables.
How do you attach it when the flow is created using the conntrack API with
NFCT_Q_CREATE, or attach to a flow that already exists?
You have to use libnetfilter_cttimeout.
I can see how to use libnetfilter_cttimeout to create a timeout policy
pass it to the kernel.
But I might have previously created some flow with
libnetfilter_conntrack e.g.:
udp 17 142 src=192.168.1.5 dst=203.0.113.10 sport=54422 dport=2345
src=203.0.113.10 dst=198.51.100.50 sport=2345 dport=54422 [ASSURED]
mark=0 use=1
How can I change the timeout policy for this flow to use the newly
created one?
I would have expected to see something like
ATTR_TIMEOUT_POLICY, /* string */
in "enum nf_conntrack_attr" in libnetfilter_conntrack.h, but no luck.
What am I missing?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
