Attaching nfct timeout policy

Attaching nfct timeout policy

[zrm]

The nfct command allows creating a custom timeout policy. The man page 
describes how to attach the timeout policy using iptables.

How do you attach it when the flow is created using the conntrack API 
with NFCT_Q_CREATE, or attach to a flow that already exists?

Re: Attaching nfct timeout policy

[Pablo Neira Ayuso]

On Thu, Dec 15, 2016 at 01:46:46PM -0500, zrm wrote:
> The nfct command allows creating a custom timeout policy. The man page
> describes how to attach the timeout policy using iptables.
> 
> How do you attach it when the flow is created using the conntrack API with
> NFCT_Q_CREATE, or attach to a flow that already exists?

You have to use libnetfilter_cttimeout.

Re: Attaching nfct timeout policy

[zrm]

On 12/15/2016 03:53 PM, Pablo Neira Ayuso wrote:
> On Thu, Dec 15, 2016 at 01:46:46PM -0500, zrm wrote:
>> The nfct command allows creating a custom timeout policy. The man page
>> describes how to attach the timeout policy using iptables.
>>
>> How do you attach it when the flow is created using the conntrack API with
>> NFCT_Q_CREATE, or attach to a flow that already exists?
>
> You have to use libnetfilter_cttimeout.
>

I can see how to use libnetfilter_cttimeout to create a timeout policy 
pass it to the kernel.

But I might have previously created some flow with 
libnetfilter_conntrack e.g.:

udp  17 142 src=192.168.1.5 dst=203.0.113.10 sport=54422 dport=2345 
src=203.0.113.10 dst=198.51.100.50 sport=2345 dport=54422 [ASSURED] 
mark=0 use=1

How can I change the timeout policy for this flow to use the newly 
created one?

I would have expected to see something like

	ATTR_TIMEOUT_POLICY,	/* string */

in "enum nf_conntrack_attr" in libnetfilter_conntrack.h, but no luck.

What am I missing?