From patchwork Tue Sep 4 18:51:16 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Harsha Sharma X-Patchwork-Id: 966055 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="pWviNgSD"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 424bY04MxVz9s47 for ; Wed, 5 Sep 2018 04:52:04 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727447AbeIDXS0 (ORCPT ); Tue, 4 Sep 2018 19:18:26 -0400 Received: from mail-pg1-f175.google.com ([209.85.215.175]:36980 "EHLO mail-pg1-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727220AbeIDXS0 (ORCPT ); Tue, 4 Sep 2018 19:18:26 -0400 Received: by mail-pg1-f175.google.com with SMTP id 2-v6so2109084pgo.4 for ; Tue, 04 Sep 2018 11:52:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=jAKwK3vE6xuwBd/y8xUp02ZpR94zWr2qoe9c2eG2Znw=; b=pWviNgSDEpE8fwrTQJlHb64U2cTH8vPZwPvWxaS4PWy2bzfUa2B481ofy5DqweygRB bR/icawRElnBV0CCLdKqRtU1u9jApfFyR9H2vQGvgeGuAIBnU99RR7krjPPPSeYmCF52 biAKBTduil4G2kVVckdvS7LWsGOIWMgds/MKYVwJKyHZlobBmY8Qm0gNI3Dt8h1ypnPC Jl7x5XUVX1YhqyiVZ7KX/auAm7piPR/C82xYsvvJUUTwcSJmX62QQaOM2yXA7tmxVcZO c78/GHN/M3ox/CPsb7FYH9nzBxRQ0t3wn13r+ZVB2VscckSq5W5jVStRdrSCKKHolFSb NrBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=jAKwK3vE6xuwBd/y8xUp02ZpR94zWr2qoe9c2eG2Znw=; b=HgvDr8hA6XyuYH0cVcuh1Lhizenetsi9m4NRAWSlV5dzdcQhTa/qS2GUVgca9S0hGo tJZKVYGAsbLpPYf5LKoGnxXTkt4WrDnIjtZDHo6f2McEB00jgbBA30SPi6rYoTluHNCQ QTbzZf9budsxX94o9WM9HdU2qvzpqPFKfjSv+G7w3A/pV+PIIcoGL0RUD1Y7ZCO64Ivc wlQaoUv7m08+3hj2jryDV6oJFjDA2aWGOH3KEg6zA5iNGGkKZI35FypQXod+ZgzvE/SZ rhl1yEmwoGRbdE2NeaMCrv15xPVlVHELj0oSO65wWYO50yOXC2wvo/YhWIY3hol10u0+ nIEQ== X-Gm-Message-State: APzg51A0maFuo0jsX/c1R7pwAm2exYA8YX5kHazyoq8MpMWtOGLz3oAr 7xS5bounlLbKTS1sl6Rzwtj93cQb X-Google-Smtp-Source: ANB0VdbjJlw1+PFuiwYEYlXzFehyFhxgOmPovw1TJtw4W0pgTqIsauxpR5vS/5p0zxPpNFyXEZuRww== X-Received: by 2002:a62:4fd9:: with SMTP id f86-v6mr17960229pfj.110.1536087122384; Tue, 04 Sep 2018 11:52:02 -0700 (PDT) Received: from XDDDDD.iitr.ernet.in ([103.37.201.44]) by smtp.gmail.com with ESMTPSA id s195-v6sm37799685pgs.76.2018.09.04.11.51.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 04 Sep 2018 11:52:01 -0700 (PDT) From: Harsha Sharma To: harshasharmaiitr@gmail.com, pablo@netfilter.org Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nft] doc: Document ct timeout support Date: Wed, 5 Sep 2018 00:21:16 +0530 Message-Id: <20180904185116.10826-1-harshasharmaiitr@gmail.com> X-Mailer: git-send-email 2.14.1 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Add documentation for creating ct timeout objects and assigning timeout policies via rules. Signed-off-by: Harsha Sharma --- doc/libnftables-json.adoc | 52 +++++++++++++++++++++++++++++++++++++++--- doc/stateful-objects.txt | 57 ++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 105 insertions(+), 4 deletions(-) diff --git a/doc/libnftables-json.adoc b/doc/libnftables-json.adoc index 59bac17..98303b3 100644 --- a/doc/libnftables-json.adoc +++ b/doc/libnftables-json.adoc @@ -23,7 +23,7 @@ libnftables-json - Supported JSON schema by libnftables 'LIST_OBJECT' := 'TABLE' | 'CHAIN' | 'RULE' | 'SET' | 'MAP' | 'ELEMENT' | 'FLOWTABLE' | 'COUNTER' | 'QUOTA' | 'CT_HELPER' | 'LIMIT' | - 'METAINFO_OBJECT' + 'METAINFO_OBJECT' | 'CT_TIMEOUT' == DESCRIPTION libnftables supports JSON formatted input and output. This is implemented as an @@ -117,7 +117,8 @@ ____ *{ "add":* 'ADD_OBJECT' *}* 'ADD_OBJECT' := 'TABLE' | 'CHAIN' | 'RULE' | 'SET' | 'MAP' | 'ELEMENT' | - 'FLOWTABLE' | 'COUNTER | QUOTA' | 'CT_HELPER' | 'LIMIT' + 'FLOWTABLE' | 'COUNTER | QUOTA' | 'CT_HELPER' | 'LIMIT' | + 'CT_TIMEOUT' ____ Add a new ruleset element to the kernel. @@ -161,7 +162,7 @@ ____ 'LIST_OBJECT' := 'TABLE' | 'TABLES' | 'CHAIN' | 'CHAINS' | 'SET' | 'SETS' | 'MAP' | 'MAPS | COUNTER' | 'COUNTERS' | 'QUOTA' | 'QUOTAS' | 'CT_HELPER' | 'CT_HELPERS' | 'LIMIT' | 'LIMITS | RULESET' | - 'METER' | 'METERS' | 'FLOWTABLES' + 'METER' | 'METERS' | 'FLOWTABLES' | 'CT_TIMEOUT' ____ List ruleset elements. The plural forms are used to list all objects of that @@ -559,6 +560,42 @@ This object represents a named limit. *inv*:: If true, match if limit was exceeded. If omitted, defaults to *false*. +=== CT TIMEOUT +[verse] +____ +*{ "ct timeout": { + "family":* 'STRING'*, + "table":* 'STRING'*, + "name":* 'STRING'*, + "handle":* 'NUMBER'*, + "protocol":* 'CTH_PROTO'*, + "state":* 'STRING'*, + "value:* 'NUMBER'*, + "l3proto":* 'STRING' +*}}* + +'CTH_PROTO' := *"tcp"* | *"udp"* | *"dccp"* | *"sctp"* | *"gre"* | *"icmpv6"* | *"icmp"* | *"generic"* +____ + +This object represents a named conntrack timeout policy. + +*family*:: + The table's family. +*table*:: + The table's name. +*name*:: + The ct timeout object's name. +*handle*:: + The ct timeout object's handle. In input, used for *delete* command only. +*protocol*:: + The ct timeout object's layer 4 protocol. +*state*:: + The connection state name, for which timeout value has to be updated, e.g. *"established"*, *"syn_sent"*, *"close"* or *"close_wait"*. +*value*:: + The updated timeout value for specified connection state. +*l3proto*:: + The ct timeout object's layer 3 protocol, e.g. *"ip"* or *"ip6"*. + == STATEMENTS Statements are the building blocks for rules. Each rule consists of at least a single statement. @@ -952,6 +989,15 @@ Limit number of connections using conntrack. If *true*, match if *val* was exceeded. If omitted, defaults to *false*. +=== CT TIMEOUT +[verse] +*{ "ct timeout":* 'EXPRESSION' *}* + +Assign connection tracking timeout policy. + +*ct timeout*:: + CT timeout reference. + == EXPRESSIONS Expressions are the building blocks of (most) statements. In their most basic form, they are just immediate values represented as JSON string, integer or diff --git a/doc/stateful-objects.txt b/doc/stateful-objects.txt index 83a2575..120673d 100644 --- a/doc/stateful-objects.txt +++ b/doc/stateful-objects.txt @@ -1,4 +1,4 @@ -CT +CT HELPER ~~ [verse] *ct* helper 'helper' {type 'type' protocol 'protocol' ; [l3proto 'family' ;] } @@ -40,6 +40,61 @@ table inet myhelpers { } ---------------------------------- +CT TIMEOUT +~~ +[verse] +*ct* timeout 'name' {protocol 'protocol' ; policy = {'state': 'value'} ;[l3proto 'family' ;] } + +Ct timeout is used to update connection tracking timeout values.Timeout policies are assigned +with the *ct timeout set* statement. 'protocol' and 'policy' are + mandatory, l3proto is derived from the table family by default. + +.conntrack timeout specifications +[options="header"] +|================= +|Keyword | Description | Type +| protocol | +layer 4 protocol of the timeout object | +string (e.g. ip) +|state | +connection state name | +string (e.g. "established") +|value | +timeout value for connection state | +unsigned integer +|l3proto | +layer 3 protocol of the timeout object | +address family (e.g. ip) +|================= + +.defining and assigning ct timeout policy +---------------------------------- +table ip raw { + ct timeout cttime { + protocol tcp; + l3proto ip + policy = { established: 111, close: 13 } + } + + chain output { + type filter hook output priority -300; policy accept; + ct timeout set "cttime" + } +} +---------------------------------- + +.testing the updated timeout policy +---------------------------------- + +%conntrack -E + +It should display: + +[NEW] tcp 6 111 ESTABLISHED src=172.16.19.128 dst=172.16.19.1 +sport=22 dport=41360 [UNREPLIED] src=172.16.19.1 dst=172.16.19.128 +sport=41360 dport=22 +---------------------------------- + COUNTER ~~~~~~~ [verse]