113df433fSMauro Carvalho Chehab.. SPDX-License-Identifier: GPL-2.0 213df433fSMauro Carvalho Chehab 313df433fSMauro Carvalho Chehab=================================== 413df433fSMauro Carvalho ChehabNetfilter Conntrack Sysfs variables 513df433fSMauro Carvalho Chehab=================================== 613df433fSMauro Carvalho Chehab 713df433fSMauro Carvalho Chehab/proc/sys/net/netfilter/nf_conntrack_* Variables: 813df433fSMauro Carvalho Chehab================================================= 913df433fSMauro Carvalho Chehab 1013df433fSMauro Carvalho Chehabnf_conntrack_acct - BOOLEAN 1113df433fSMauro Carvalho Chehab - 0 - disabled (default) 1213df433fSMauro Carvalho Chehab - not 0 - enabled 1313df433fSMauro Carvalho Chehab 1413df433fSMauro Carvalho Chehab Enable connection tracking flow accounting. 64-bit byte and packet 1513df433fSMauro Carvalho Chehab counters per flow are added. 1613df433fSMauro Carvalho Chehab 1713df433fSMauro Carvalho Chehabnf_conntrack_buckets - INTEGER 1813df433fSMauro Carvalho Chehab Size of hash table. If not specified as parameter during module 1913df433fSMauro Carvalho Chehab loading, the default size is calculated by dividing total memory 2013df433fSMauro Carvalho Chehab by 16384 to determine the number of buckets but the hash table will 2113df433fSMauro Carvalho Chehab never have fewer than 32 and limited to 16384 buckets. For systems 2213df433fSMauro Carvalho Chehab with more than 4GB of memory it will be 65536 buckets. 2313df433fSMauro Carvalho Chehab This sysctl is only writeable in the initial net namespace. 2413df433fSMauro Carvalho Chehab 2513df433fSMauro Carvalho Chehabnf_conntrack_checksum - BOOLEAN 2613df433fSMauro Carvalho Chehab - 0 - disabled 2713df433fSMauro Carvalho Chehab - not 0 - enabled (default) 2813df433fSMauro Carvalho Chehab 2913df433fSMauro Carvalho Chehab Verify checksum of incoming packets. Packets with bad checksums are 3013df433fSMauro Carvalho Chehab in INVALID state. If this is enabled, such packets will not be 3113df433fSMauro Carvalho Chehab considered for connection tracking. 3213df433fSMauro Carvalho Chehab 3313df433fSMauro Carvalho Chehabnf_conntrack_count - INTEGER (read-only) 3413df433fSMauro Carvalho Chehab Number of currently allocated flow entries. 3513df433fSMauro Carvalho Chehab 3613df433fSMauro Carvalho Chehabnf_conntrack_events - BOOLEAN 3713df433fSMauro Carvalho Chehab - 0 - disabled 3813df433fSMauro Carvalho Chehab - not 0 - enabled (default) 3913df433fSMauro Carvalho Chehab 4013df433fSMauro Carvalho Chehab If this option is enabled, the connection tracking code will 4113df433fSMauro Carvalho Chehab provide userspace with connection tracking events via ctnetlink. 4213df433fSMauro Carvalho Chehab 4313df433fSMauro Carvalho Chehabnf_conntrack_expect_max - INTEGER 4413df433fSMauro Carvalho Chehab Maximum size of expectation table. Default value is 4513df433fSMauro Carvalho Chehab nf_conntrack_buckets / 256. Minimum is 1. 4613df433fSMauro Carvalho Chehab 4713df433fSMauro Carvalho Chehabnf_conntrack_frag6_high_thresh - INTEGER 4813df433fSMauro Carvalho Chehab default 262144 4913df433fSMauro Carvalho Chehab 5013df433fSMauro Carvalho Chehab Maximum memory used to reassemble IPv6 fragments. When 5113df433fSMauro Carvalho Chehab nf_conntrack_frag6_high_thresh bytes of memory is allocated for this 5213df433fSMauro Carvalho Chehab purpose, the fragment handler will toss packets until 5313df433fSMauro Carvalho Chehab nf_conntrack_frag6_low_thresh is reached. 5413df433fSMauro Carvalho Chehab 5513df433fSMauro Carvalho Chehabnf_conntrack_frag6_low_thresh - INTEGER 5613df433fSMauro Carvalho Chehab default 196608 5713df433fSMauro Carvalho Chehab 5813df433fSMauro Carvalho Chehab See nf_conntrack_frag6_low_thresh 5913df433fSMauro Carvalho Chehab 6013df433fSMauro Carvalho Chehabnf_conntrack_frag6_timeout - INTEGER (seconds) 6113df433fSMauro Carvalho Chehab default 60 6213df433fSMauro Carvalho Chehab 6313df433fSMauro Carvalho Chehab Time to keep an IPv6 fragment in memory. 6413df433fSMauro Carvalho Chehab 6513df433fSMauro Carvalho Chehabnf_conntrack_generic_timeout - INTEGER (seconds) 6613df433fSMauro Carvalho Chehab default 600 6713df433fSMauro Carvalho Chehab 6813df433fSMauro Carvalho Chehab Default for generic timeout. This refers to layer 4 unknown/unsupported 6913df433fSMauro Carvalho Chehab protocols. 7013df433fSMauro Carvalho Chehab 7113df433fSMauro Carvalho Chehabnf_conntrack_helper - BOOLEAN 7213df433fSMauro Carvalho Chehab - 0 - disabled (default) 7313df433fSMauro Carvalho Chehab - not 0 - enabled 7413df433fSMauro Carvalho Chehab 7513df433fSMauro Carvalho Chehab Enable automatic conntrack helper assignment. 7613df433fSMauro Carvalho Chehab If disabled it is required to set up iptables rules to assign 7713df433fSMauro Carvalho Chehab helpers to connections. See the CT target description in the 7813df433fSMauro Carvalho Chehab iptables-extensions(8) man page for further information. 7913df433fSMauro Carvalho Chehab 8013df433fSMauro Carvalho Chehabnf_conntrack_icmp_timeout - INTEGER (seconds) 8113df433fSMauro Carvalho Chehab default 30 8213df433fSMauro Carvalho Chehab 8313df433fSMauro Carvalho Chehab Default for ICMP timeout. 8413df433fSMauro Carvalho Chehab 8513df433fSMauro Carvalho Chehabnf_conntrack_icmpv6_timeout - INTEGER (seconds) 8613df433fSMauro Carvalho Chehab default 30 8713df433fSMauro Carvalho Chehab 8813df433fSMauro Carvalho Chehab Default for ICMP6 timeout. 8913df433fSMauro Carvalho Chehab 9013df433fSMauro Carvalho Chehabnf_conntrack_log_invalid - INTEGER 9113df433fSMauro Carvalho Chehab - 0 - disable (default) 9213df433fSMauro Carvalho Chehab - 1 - log ICMP packets 9313df433fSMauro Carvalho Chehab - 6 - log TCP packets 9413df433fSMauro Carvalho Chehab - 17 - log UDP packets 9513df433fSMauro Carvalho Chehab - 33 - log DCCP packets 9613df433fSMauro Carvalho Chehab - 41 - log ICMPv6 packets 9713df433fSMauro Carvalho Chehab - 136 - log UDPLITE packets 9813df433fSMauro Carvalho Chehab - 255 - log packets of any protocol 9913df433fSMauro Carvalho Chehab 10013df433fSMauro Carvalho Chehab Log invalid packets of a type specified by value. 10113df433fSMauro Carvalho Chehab 10213df433fSMauro Carvalho Chehabnf_conntrack_max - INTEGER 10313df433fSMauro Carvalho Chehab Size of connection tracking table. Default value is 10413df433fSMauro Carvalho Chehab nf_conntrack_buckets value * 4. 10513df433fSMauro Carvalho Chehab 10613df433fSMauro Carvalho Chehabnf_conntrack_tcp_be_liberal - BOOLEAN 10713df433fSMauro Carvalho Chehab - 0 - disabled (default) 10813df433fSMauro Carvalho Chehab - not 0 - enabled 10913df433fSMauro Carvalho Chehab 11013df433fSMauro Carvalho Chehab Be conservative in what you do, be liberal in what you accept from others. 11113df433fSMauro Carvalho Chehab If it's non-zero, we mark only out of window RST segments as INVALID. 11213df433fSMauro Carvalho Chehab 11313df433fSMauro Carvalho Chehabnf_conntrack_tcp_loose - BOOLEAN 11413df433fSMauro Carvalho Chehab - 0 - disabled 11513df433fSMauro Carvalho Chehab - not 0 - enabled (default) 11613df433fSMauro Carvalho Chehab 11713df433fSMauro Carvalho Chehab If it is set to zero, we disable picking up already established 11813df433fSMauro Carvalho Chehab connections. 11913df433fSMauro Carvalho Chehab 12013df433fSMauro Carvalho Chehabnf_conntrack_tcp_max_retrans - INTEGER 12113df433fSMauro Carvalho Chehab default 3 12213df433fSMauro Carvalho Chehab 12313df433fSMauro Carvalho Chehab Maximum number of packets that can be retransmitted without 12413df433fSMauro Carvalho Chehab received an (acceptable) ACK from the destination. If this number 12513df433fSMauro Carvalho Chehab is reached, a shorter timer will be started. 12613df433fSMauro Carvalho Chehab 12713df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_close - INTEGER (seconds) 12813df433fSMauro Carvalho Chehab default 10 12913df433fSMauro Carvalho Chehab 13013df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_close_wait - INTEGER (seconds) 13113df433fSMauro Carvalho Chehab default 60 13213df433fSMauro Carvalho Chehab 13313df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_established - INTEGER (seconds) 13413df433fSMauro Carvalho Chehab default 432000 (5 days) 13513df433fSMauro Carvalho Chehab 13613df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds) 13713df433fSMauro Carvalho Chehab default 120 13813df433fSMauro Carvalho Chehab 13913df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_last_ack - INTEGER (seconds) 14013df433fSMauro Carvalho Chehab default 30 14113df433fSMauro Carvalho Chehab 14213df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds) 14313df433fSMauro Carvalho Chehab default 300 14413df433fSMauro Carvalho Chehab 14513df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds) 14613df433fSMauro Carvalho Chehab default 60 14713df433fSMauro Carvalho Chehab 14813df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds) 14913df433fSMauro Carvalho Chehab default 120 15013df433fSMauro Carvalho Chehab 15113df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_time_wait - INTEGER (seconds) 15213df433fSMauro Carvalho Chehab default 120 15313df433fSMauro Carvalho Chehab 15413df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds) 15513df433fSMauro Carvalho Chehab default 300 15613df433fSMauro Carvalho Chehab 15713df433fSMauro Carvalho Chehabnf_conntrack_timestamp - BOOLEAN 15813df433fSMauro Carvalho Chehab - 0 - disabled (default) 15913df433fSMauro Carvalho Chehab - not 0 - enabled 16013df433fSMauro Carvalho Chehab 16113df433fSMauro Carvalho Chehab Enable connection tracking flow timestamping. 16213df433fSMauro Carvalho Chehab 16313df433fSMauro Carvalho Chehabnf_conntrack_udp_timeout - INTEGER (seconds) 16413df433fSMauro Carvalho Chehab default 30 16513df433fSMauro Carvalho Chehab 16613df433fSMauro Carvalho Chehabnf_conntrack_udp_timeout_stream - INTEGER (seconds) 16713df433fSMauro Carvalho Chehab default 120 16813df433fSMauro Carvalho Chehab 16913df433fSMauro Carvalho Chehab This extended timeout will be used in case there is an UDP stream 17013df433fSMauro Carvalho Chehab detected. 17113df433fSMauro Carvalho Chehab 17213df433fSMauro Carvalho Chehabnf_conntrack_gre_timeout - INTEGER (seconds) 17313df433fSMauro Carvalho Chehab default 30 17413df433fSMauro Carvalho Chehab 17513df433fSMauro Carvalho Chehabnf_conntrack_gre_timeout_stream - INTEGER (seconds) 17613df433fSMauro Carvalho Chehab default 180 17713df433fSMauro Carvalho Chehab 17813df433fSMauro Carvalho Chehab This extended timeout will be used in case there is an GRE stream 17913df433fSMauro Carvalho Chehab detected. 180*3078d964SOz Shlomo 181*3078d964SOz Shlomonf_flowtable_tcp_timeout - INTEGER (seconds) 182*3078d964SOz Shlomo default 30 183*3078d964SOz Shlomo 184*3078d964SOz Shlomo Control offload timeout for tcp connections. 185*3078d964SOz Shlomo TCP connections may be offloaded from nf conntrack to nf flow table. 186*3078d964SOz Shlomo Once aged, the connection is returned to nf conntrack with tcp pickup timeout. 187*3078d964SOz Shlomo 188*3078d964SOz Shlomonf_flowtable_tcp_pickup - INTEGER (seconds) 189*3078d964SOz Shlomo default 120 190*3078d964SOz Shlomo 191*3078d964SOz Shlomo TCP connection timeout after being aged from nf flow table offload. 192*3078d964SOz Shlomo 193*3078d964SOz Shlomonf_flowtable_udp_timeout - INTEGER (seconds) 194*3078d964SOz Shlomo default 30 195*3078d964SOz Shlomo 196*3078d964SOz Shlomo Control offload timeout for udp connections. 197*3078d964SOz Shlomo UDP connections may be offloaded from nf conntrack to nf flow table. 198*3078d964SOz Shlomo Once aged, the connection is returned to nf conntrack with udp pickup timeout. 199*3078d964SOz Shlomo 200*3078d964SOz Shlomonf_flowtable_udp_pickup - INTEGER (seconds) 201*3078d964SOz Shlomo default 30 202*3078d964SOz Shlomo 203*3078d964SOz Shlomo UDP connection timeout after being aged from nf flow table offload. 204