OpenCloudOS-Kernel/include/linux/netfilter
Pablo Neira Ayuso 24de58f465 netfilter: xt_CT: allow to attach timeout policy + glue code
This patch allows you to attach the timeout policy via the
CT target, it adds a new revision of the target to ensure
backward compatibility. Moreover, it also contains the glue
code to stick the timeout object defined via nfnetlink_cttimeout
to the given flow.

Example usage (it requires installing the nfct tool and
libnetfilter_cttimeout):

1) create the timeout policy:

 nfct timeout add tcp-policy0 inet tcp \
	established 1000 close 10 time_wait 10 last_ack 10

2) attach the timeout policy to the packet:

 iptables -I PREROUTING -t raw -p tcp -j CT --timeout tcp-policy0

You have to install the following user-space software:

a) libnetfilter_cttimeout:
   git://git.netfilter.org/libnetfilter_cttimeout

b) nfct:
   git://git.netfilter.org/nfct

You also have to get iptables with -j CT --timeout support.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-03-07 17:41:28 +01:00
..
ipset netfilter: ipset: hash:net,iface timeout bug fixed 2012-03-07 17:40:37 +01:00
Kbuild netfilter: add cttimeout infrastructure for fine timeout tuning 2012-03-07 17:41:22 +01:00
nf_conntrack_amanda.h
nf_conntrack_common.h netfilter: revert user-space expectation helper support 2012-01-16 14:01:23 +01:00
nf_conntrack_dccp.h
nf_conntrack_ftp.h
nf_conntrack_h323.h
nf_conntrack_h323_asn1.h
nf_conntrack_h323_types.h
nf_conntrack_irc.h
nf_conntrack_pptp.h
nf_conntrack_proto_gre.h Fix common misspellings 2011-03-31 11:26:23 -03:00
nf_conntrack_sane.h
nf_conntrack_sctp.h
nf_conntrack_sip.h netfilter: nf_conntrack_sip: Add callid parser 2010-10-04 22:45:23 +09:00
nf_conntrack_snmp.h netfilter: nf_conntrack: nf_conntrack snmp helper 2011-01-18 18:12:24 +01:00
nf_conntrack_tcp.h netfilter: nf_ct_tcp: move retransmission and unacknowledged timeout to array 2012-03-07 17:41:15 +01:00
nf_conntrack_tftp.h
nf_conntrack_tuple_common.h netfilter: nf_nat: export NAT definitions to userspace 2011-12-23 14:36:43 +01:00
nf_nat.h netfilter: nf_nat: export NAT definitions to userspace 2011-12-23 14:36:43 +01:00
nfnetlink.h netfilter: add cttimeout infrastructure for fine timeout tuning 2012-03-07 17:41:22 +01:00
nfnetlink_acct.h netfilter: add extended accounting infrastructure over nfnetlink 2011-12-25 02:43:03 +01:00
nfnetlink_compat.h
nfnetlink_conntrack.h netfilter: ctnetlink: allow to set expectfn for expectations 2012-03-07 17:40:46 +01:00
nfnetlink_cttimeout.h netfilter: add cttimeout infrastructure for fine timeout tuning 2012-03-07 17:41:22 +01:00
nfnetlink_log.h headers: use __aligned_xx types for userspace 2011-03-18 15:14:45 -07:00
nfnetlink_queue.h netfilter: nfnetlink_queue: batch verdict support 2011-07-19 11:46:33 +02:00
x_tables.h percpu: Remove irqsafe_cpu_xxx variants 2011-12-22 10:40:20 -08:00
xt_AUDIT.h netfilter: audit target to record accepted/dropped packets 2011-01-16 18:10:28 +01:00
xt_CHECKSUM.h
xt_CLASSIFY.h
xt_CONNMARK.h
xt_CONNSECMARK.h
xt_CT.h netfilter: xt_CT: allow to attach timeout policy + glue code 2012-03-07 17:41:28 +01:00
xt_DSCP.h
xt_IDLETIMER.h header: fix broken headers for user space 2010-08-22 21:15:39 -07:00
xt_LED.h
xt_LOG.h netfilter: merge ipt_LOG and ip6_LOG into xt_LOG 2012-03-07 17:40:49 +01:00
xt_MARK.h
xt_NFLOG.h
xt_NFQUEUE.h netfilter: allow NFQUEUE bypass if no listener is available 2011-01-18 16:08:30 +01:00
xt_RATEEST.h
xt_SECMARK.h secmark: make secmark object handling generic 2010-10-21 10:12:48 +11:00
xt_TCPMSS.h
xt_TCPOPTSTRIP.h netfilter: xtables: add missing header inclusions for headers_check 2011-01-20 17:50:17 +01:00
xt_TEE.h
xt_TPROXY.h netfilter: xtables: add missing header inclusions for headers_check 2011-01-20 17:50:17 +01:00
xt_addrtype.h netfilter: xt_addrtype: ipv6 support 2011-03-15 20:17:44 +01:00
xt_cluster.h netfilter: xtables: add missing header inclusions for headers_check 2011-01-20 17:50:17 +01:00
xt_comment.h netfilter: xt_comment: drop unneeded unsigned qualifier 2011-01-13 12:05:11 +01:00
xt_connbytes.h headers: use __aligned_xx types for userspace 2011-03-18 15:14:45 -07:00
xt_connlimit.h headers, xtables: Add missing #include <linux/netfilter.h> 2011-08-26 12:02:50 -04:00
xt_connmark.h
xt_conntrack.h headers, xtables: Add missing #include <linux/netfilter.h> 2011-08-26 12:02:50 -04:00
xt_cpu.h
xt_dccp.h
xt_devgroup.h netfilter: xtables: add device group match 2011-02-03 00:05:43 +01:00
xt_dscp.h
xt_ecn.h netfilter: xtables: give xt_ecn its own name 2011-12-27 20:31:38 +01:00
xt_esp.h
xt_hashlimit.h
xt_helper.h
xt_iprange.h headers, xtables: Add missing #include <linux/netfilter.h> 2011-08-26 12:02:50 -04:00
xt_ipvs.h netfilter: fix userspace header warning 2010-08-18 23:34:26 -07:00
xt_length.h
xt_limit.h
xt_mac.h
xt_mark.h
xt_multiport.h
xt_nfacct.h netfilter: xtables: add nfacct match to support extended accounting 2011-12-25 02:43:17 +01:00
xt_osf.h
xt_owner.h
xt_physdev.h
xt_pkttype.h
xt_policy.h
xt_quota.h headers: use __aligned_xx types for userspace 2011-03-18 15:14:45 -07:00
xt_rateest.h
xt_realm.h
xt_recent.h
xt_rpfilter.h netfilter: add ipv4 reverse path filter match 2011-12-04 22:43:37 +01:00
xt_sctp.h
xt_set.h netfilter: ipset: options and flags support added to the kernel API 2011-06-16 18:42:40 +02:00
xt_socket.h netfilter: xtables: add missing header inclusions for headers_check 2011-01-20 17:50:17 +01:00
xt_state.h
xt_statistic.h
xt_string.h
xt_tcpmss.h
xt_tcpudp.h
xt_time.h netfilter: xtables: add missing header inclusions for headers_check 2011-01-20 17:50:17 +01:00
xt_u32.h netfilter: xtables: add missing header inclusions for headers_check 2011-01-20 17:50:17 +01:00