113df433fSMauro Carvalho Chehab.. SPDX-License-Identifier: GPL-2.0 213df433fSMauro Carvalho Chehab 313df433fSMauro Carvalho Chehab=================================== 413df433fSMauro Carvalho ChehabNetfilter Conntrack Sysfs variables 513df433fSMauro Carvalho Chehab=================================== 613df433fSMauro Carvalho Chehab 713df433fSMauro Carvalho Chehab/proc/sys/net/netfilter/nf_conntrack_* Variables: 813df433fSMauro Carvalho Chehab================================================= 913df433fSMauro Carvalho Chehab 1013df433fSMauro Carvalho Chehabnf_conntrack_acct - BOOLEAN 1113df433fSMauro Carvalho Chehab - 0 - disabled (default) 1213df433fSMauro Carvalho Chehab - not 0 - enabled 1313df433fSMauro Carvalho Chehab 1413df433fSMauro Carvalho Chehab Enable connection tracking flow accounting. 64-bit byte and packet 1513df433fSMauro Carvalho Chehab counters per flow are added. 1613df433fSMauro Carvalho Chehab 1713df433fSMauro Carvalho Chehabnf_conntrack_buckets - INTEGER 1813df433fSMauro Carvalho Chehab Size of hash table. If not specified as parameter during module 1913df433fSMauro Carvalho Chehab loading, the default size is calculated by dividing total memory 2013df433fSMauro Carvalho Chehab by 16384 to determine the number of buckets but the hash table will 2113df433fSMauro Carvalho Chehab never have fewer than 32 and limited to 16384 buckets. For systems 2213df433fSMauro Carvalho Chehab with more than 4GB of memory it will be 65536 buckets. 2313df433fSMauro Carvalho Chehab This sysctl is only writeable in the initial net namespace. 2413df433fSMauro Carvalho Chehab 2513df433fSMauro Carvalho Chehabnf_conntrack_checksum - BOOLEAN 2613df433fSMauro Carvalho Chehab - 0 - disabled 2713df433fSMauro Carvalho Chehab - not 0 - enabled (default) 2813df433fSMauro Carvalho Chehab 2913df433fSMauro Carvalho Chehab Verify checksum of incoming packets. Packets with bad checksums are 3013df433fSMauro Carvalho Chehab in INVALID state. If this is enabled, such packets will not be 3113df433fSMauro Carvalho Chehab considered for connection tracking. 3213df433fSMauro Carvalho Chehab 3313df433fSMauro Carvalho Chehabnf_conntrack_count - INTEGER (read-only) 3413df433fSMauro Carvalho Chehab Number of currently allocated flow entries. 3513df433fSMauro Carvalho Chehab 3613df433fSMauro Carvalho Chehabnf_conntrack_events - BOOLEAN 3713df433fSMauro Carvalho Chehab - 0 - disabled 3813df433fSMauro Carvalho Chehab - not 0 - enabled (default) 3913df433fSMauro Carvalho Chehab 4013df433fSMauro Carvalho Chehab If this option is enabled, the connection tracking code will 4113df433fSMauro Carvalho Chehab provide userspace with connection tracking events via ctnetlink. 4213df433fSMauro Carvalho Chehab 4313df433fSMauro Carvalho Chehabnf_conntrack_expect_max - INTEGER 4413df433fSMauro Carvalho Chehab Maximum size of expectation table. Default value is 4513df433fSMauro Carvalho Chehab nf_conntrack_buckets / 256. Minimum is 1. 4613df433fSMauro Carvalho Chehab 4713df433fSMauro Carvalho Chehabnf_conntrack_frag6_high_thresh - INTEGER 4813df433fSMauro Carvalho Chehab default 262144 4913df433fSMauro Carvalho Chehab 5013df433fSMauro Carvalho Chehab Maximum memory used to reassemble IPv6 fragments. When 5113df433fSMauro Carvalho Chehab nf_conntrack_frag6_high_thresh bytes of memory is allocated for this 5213df433fSMauro Carvalho Chehab purpose, the fragment handler will toss packets until 5313df433fSMauro Carvalho Chehab nf_conntrack_frag6_low_thresh is reached. 5413df433fSMauro Carvalho Chehab 5513df433fSMauro Carvalho Chehabnf_conntrack_frag6_low_thresh - INTEGER 5613df433fSMauro Carvalho Chehab default 196608 5713df433fSMauro Carvalho Chehab 5813df433fSMauro Carvalho Chehab See nf_conntrack_frag6_low_thresh 5913df433fSMauro Carvalho Chehab 6013df433fSMauro Carvalho Chehabnf_conntrack_frag6_timeout - INTEGER (seconds) 6113df433fSMauro Carvalho Chehab default 60 6213df433fSMauro Carvalho Chehab 6313df433fSMauro Carvalho Chehab Time to keep an IPv6 fragment in memory. 6413df433fSMauro Carvalho Chehab 6513df433fSMauro Carvalho Chehabnf_conntrack_generic_timeout - INTEGER (seconds) 6613df433fSMauro Carvalho Chehab default 600 6713df433fSMauro Carvalho Chehab 6813df433fSMauro Carvalho Chehab Default for generic timeout. This refers to layer 4 unknown/unsupported 6913df433fSMauro Carvalho Chehab protocols. 7013df433fSMauro Carvalho Chehab 7113df433fSMauro Carvalho Chehabnf_conntrack_helper - BOOLEAN 7213df433fSMauro Carvalho Chehab - 0 - disabled (default) 7313df433fSMauro Carvalho Chehab - not 0 - enabled 7413df433fSMauro Carvalho Chehab 7513df433fSMauro Carvalho Chehab Enable automatic conntrack helper assignment. 7613df433fSMauro Carvalho Chehab If disabled it is required to set up iptables rules to assign 7713df433fSMauro Carvalho Chehab helpers to connections. See the CT target description in the 7813df433fSMauro Carvalho Chehab iptables-extensions(8) man page for further information. 7913df433fSMauro Carvalho Chehab 8013df433fSMauro Carvalho Chehabnf_conntrack_icmp_timeout - INTEGER (seconds) 8113df433fSMauro Carvalho Chehab default 30 8213df433fSMauro Carvalho Chehab 8313df433fSMauro Carvalho Chehab Default for ICMP timeout. 8413df433fSMauro Carvalho Chehab 8513df433fSMauro Carvalho Chehabnf_conntrack_icmpv6_timeout - INTEGER (seconds) 8613df433fSMauro Carvalho Chehab default 30 8713df433fSMauro Carvalho Chehab 8813df433fSMauro Carvalho Chehab Default for ICMP6 timeout. 8913df433fSMauro Carvalho Chehab 9013df433fSMauro Carvalho Chehabnf_conntrack_log_invalid - INTEGER 9113df433fSMauro Carvalho Chehab - 0 - disable (default) 9213df433fSMauro Carvalho Chehab - 1 - log ICMP packets 9313df433fSMauro Carvalho Chehab - 6 - log TCP packets 9413df433fSMauro Carvalho Chehab - 17 - log UDP packets 9513df433fSMauro Carvalho Chehab - 33 - log DCCP packets 9613df433fSMauro Carvalho Chehab - 41 - log ICMPv6 packets 9713df433fSMauro Carvalho Chehab - 136 - log UDPLITE packets 9813df433fSMauro Carvalho Chehab - 255 - log packets of any protocol 9913df433fSMauro Carvalho Chehab 10013df433fSMauro Carvalho Chehab Log invalid packets of a type specified by value. 10113df433fSMauro Carvalho Chehab 10213df433fSMauro Carvalho Chehabnf_conntrack_max - INTEGER 10313df433fSMauro Carvalho Chehab Size of connection tracking table. Default value is 10413df433fSMauro Carvalho Chehab nf_conntrack_buckets value * 4. 10513df433fSMauro Carvalho Chehab 10613df433fSMauro Carvalho Chehabnf_conntrack_tcp_be_liberal - BOOLEAN 10713df433fSMauro Carvalho Chehab - 0 - disabled (default) 10813df433fSMauro Carvalho Chehab - not 0 - enabled 10913df433fSMauro Carvalho Chehab 11013df433fSMauro Carvalho Chehab Be conservative in what you do, be liberal in what you accept from others. 11113df433fSMauro Carvalho Chehab If it's non-zero, we mark only out of window RST segments as INVALID. 11213df433fSMauro Carvalho Chehab 1131da4cd82SAli Abdallahnf_conntrack_tcp_ignore_invalid_rst - BOOLEAN 1141da4cd82SAli Abdallah - 0 - disabled (default) 1151da4cd82SAli Abdallah - 1 - enabled 1161da4cd82SAli Abdallah 1171da4cd82SAli Abdallah If it's 1, we don't mark out of window RST segments as INVALID. 1181da4cd82SAli Abdallah 11913df433fSMauro Carvalho Chehabnf_conntrack_tcp_loose - BOOLEAN 12013df433fSMauro Carvalho Chehab - 0 - disabled 12113df433fSMauro Carvalho Chehab - not 0 - enabled (default) 12213df433fSMauro Carvalho Chehab 12313df433fSMauro Carvalho Chehab If it is set to zero, we disable picking up already established 12413df433fSMauro Carvalho Chehab connections. 12513df433fSMauro Carvalho Chehab 12613df433fSMauro Carvalho Chehabnf_conntrack_tcp_max_retrans - INTEGER 12713df433fSMauro Carvalho Chehab default 3 12813df433fSMauro Carvalho Chehab 12913df433fSMauro Carvalho Chehab Maximum number of packets that can be retransmitted without 13013df433fSMauro Carvalho Chehab received an (acceptable) ACK from the destination. If this number 13113df433fSMauro Carvalho Chehab is reached, a shorter timer will be started. 13213df433fSMauro Carvalho Chehab 13313df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_close - INTEGER (seconds) 13413df433fSMauro Carvalho Chehab default 10 13513df433fSMauro Carvalho Chehab 13613df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_close_wait - INTEGER (seconds) 13713df433fSMauro Carvalho Chehab default 60 13813df433fSMauro Carvalho Chehab 13913df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_established - INTEGER (seconds) 14013df433fSMauro Carvalho Chehab default 432000 (5 days) 14113df433fSMauro Carvalho Chehab 14213df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds) 14313df433fSMauro Carvalho Chehab default 120 14413df433fSMauro Carvalho Chehab 14513df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_last_ack - INTEGER (seconds) 14613df433fSMauro Carvalho Chehab default 30 14713df433fSMauro Carvalho Chehab 14813df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds) 14913df433fSMauro Carvalho Chehab default 300 15013df433fSMauro Carvalho Chehab 15113df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds) 15213df433fSMauro Carvalho Chehab default 60 15313df433fSMauro Carvalho Chehab 15413df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds) 15513df433fSMauro Carvalho Chehab default 120 15613df433fSMauro Carvalho Chehab 15713df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_time_wait - INTEGER (seconds) 15813df433fSMauro Carvalho Chehab default 120 15913df433fSMauro Carvalho Chehab 16013df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds) 16113df433fSMauro Carvalho Chehab default 300 16213df433fSMauro Carvalho Chehab 16313df433fSMauro Carvalho Chehabnf_conntrack_timestamp - BOOLEAN 16413df433fSMauro Carvalho Chehab - 0 - disabled (default) 16513df433fSMauro Carvalho Chehab - not 0 - enabled 16613df433fSMauro Carvalho Chehab 16713df433fSMauro Carvalho Chehab Enable connection tracking flow timestamping. 16813df433fSMauro Carvalho Chehab 16913df433fSMauro Carvalho Chehabnf_conntrack_udp_timeout - INTEGER (seconds) 17013df433fSMauro Carvalho Chehab default 30 17113df433fSMauro Carvalho Chehab 17213df433fSMauro Carvalho Chehabnf_conntrack_udp_timeout_stream - INTEGER (seconds) 17313df433fSMauro Carvalho Chehab default 120 17413df433fSMauro Carvalho Chehab 17513df433fSMauro Carvalho Chehab This extended timeout will be used in case there is an UDP stream 17613df433fSMauro Carvalho Chehab detected. 17713df433fSMauro Carvalho Chehab 17813df433fSMauro Carvalho Chehabnf_conntrack_gre_timeout - INTEGER (seconds) 17913df433fSMauro Carvalho Chehab default 30 18013df433fSMauro Carvalho Chehab 18113df433fSMauro Carvalho Chehabnf_conntrack_gre_timeout_stream - INTEGER (seconds) 18213df433fSMauro Carvalho Chehab default 180 18313df433fSMauro Carvalho Chehab 18413df433fSMauro Carvalho Chehab This extended timeout will be used in case there is an GRE stream 18513df433fSMauro Carvalho Chehab detected. 1863078d964SOz Shlomo 187*7a3f5b0dSRyoga Saitonf_hooks_lwtunnel - BOOLEAN 188*7a3f5b0dSRyoga Saito - 0 - disabled (default) 189*7a3f5b0dSRyoga Saito - not 0 - enabled 190*7a3f5b0dSRyoga Saito 191*7a3f5b0dSRyoga Saito If this option is enabled, the lightweight tunnel netfilter hooks are 192*7a3f5b0dSRyoga Saito enabled. This option cannot be disabled once it is enabled. 193*7a3f5b0dSRyoga Saito 1943078d964SOz Shlomonf_flowtable_tcp_timeout - INTEGER (seconds) 1953078d964SOz Shlomo default 30 1963078d964SOz Shlomo 1973078d964SOz Shlomo Control offload timeout for tcp connections. 1983078d964SOz Shlomo TCP connections may be offloaded from nf conntrack to nf flow table. 1993078d964SOz Shlomo Once aged, the connection is returned to nf conntrack with tcp pickup timeout. 2003078d964SOz Shlomo 2013078d964SOz Shlomonf_flowtable_udp_timeout - INTEGER (seconds) 2023078d964SOz Shlomo default 30 2033078d964SOz Shlomo 2043078d964SOz Shlomo Control offload timeout for udp connections. 2053078d964SOz Shlomo UDP connections may be offloaded from nf conntrack to nf flow table. 2063078d964SOz Shlomo Once aged, the connection is returned to nf conntrack with udp pickup timeout. 207