113df433fSMauro Carvalho Chehab.. SPDX-License-Identifier: GPL-2.0 213df433fSMauro Carvalho Chehab 313df433fSMauro Carvalho Chehab=================================== 413df433fSMauro Carvalho ChehabNetfilter Conntrack Sysfs variables 513df433fSMauro Carvalho Chehab=================================== 613df433fSMauro Carvalho Chehab 713df433fSMauro Carvalho Chehab/proc/sys/net/netfilter/nf_conntrack_* Variables: 813df433fSMauro Carvalho Chehab================================================= 913df433fSMauro Carvalho Chehab 1013df433fSMauro Carvalho Chehabnf_conntrack_acct - BOOLEAN 1113df433fSMauro Carvalho Chehab - 0 - disabled (default) 1213df433fSMauro Carvalho Chehab - not 0 - enabled 1313df433fSMauro Carvalho Chehab 1413df433fSMauro Carvalho Chehab Enable connection tracking flow accounting. 64-bit byte and packet 1513df433fSMauro Carvalho Chehab counters per flow are added. 1613df433fSMauro Carvalho Chehab 1713df433fSMauro Carvalho Chehabnf_conntrack_buckets - INTEGER 1813df433fSMauro Carvalho Chehab Size of hash table. If not specified as parameter during module 1913df433fSMauro Carvalho Chehab loading, the default size is calculated by dividing total memory 20d532bcd0SFlorian Westphal by 16384 to determine the number of buckets. The hash table will 21d532bcd0SFlorian Westphal never have fewer than 1024 and never more than 262144 buckets. 2213df433fSMauro Carvalho Chehab This sysctl is only writeable in the initial net namespace. 2313df433fSMauro Carvalho Chehab 2413df433fSMauro Carvalho Chehabnf_conntrack_checksum - BOOLEAN 2513df433fSMauro Carvalho Chehab - 0 - disabled 2613df433fSMauro Carvalho Chehab - not 0 - enabled (default) 2713df433fSMauro Carvalho Chehab 2813df433fSMauro Carvalho Chehab Verify checksum of incoming packets. Packets with bad checksums are 2913df433fSMauro Carvalho Chehab in INVALID state. If this is enabled, such packets will not be 3013df433fSMauro Carvalho Chehab considered for connection tracking. 3113df433fSMauro Carvalho Chehab 3213df433fSMauro Carvalho Chehabnf_conntrack_count - INTEGER (read-only) 3313df433fSMauro Carvalho Chehab Number of currently allocated flow entries. 3413df433fSMauro Carvalho Chehab 3513df433fSMauro Carvalho Chehabnf_conntrack_events - BOOLEAN 3613df433fSMauro Carvalho Chehab - 0 - disabled 3790d1daa4SFlorian Westphal - 1 - enabled 3890d1daa4SFlorian Westphal - 2 - auto (default) 3913df433fSMauro Carvalho Chehab 4013df433fSMauro Carvalho Chehab If this option is enabled, the connection tracking code will 4113df433fSMauro Carvalho Chehab provide userspace with connection tracking events via ctnetlink. 4290d1daa4SFlorian Westphal The default allocates the extension if a userspace program is 4390d1daa4SFlorian Westphal listening to ctnetlink events. 4413df433fSMauro Carvalho Chehab 4513df433fSMauro Carvalho Chehabnf_conntrack_expect_max - INTEGER 4613df433fSMauro Carvalho Chehab Maximum size of expectation table. Default value is 4713df433fSMauro Carvalho Chehab nf_conntrack_buckets / 256. Minimum is 1. 4813df433fSMauro Carvalho Chehab 4913df433fSMauro Carvalho Chehabnf_conntrack_frag6_high_thresh - INTEGER 5013df433fSMauro Carvalho Chehab default 262144 5113df433fSMauro Carvalho Chehab 5213df433fSMauro Carvalho Chehab Maximum memory used to reassemble IPv6 fragments. When 5313df433fSMauro Carvalho Chehab nf_conntrack_frag6_high_thresh bytes of memory is allocated for this 5413df433fSMauro Carvalho Chehab purpose, the fragment handler will toss packets until 5513df433fSMauro Carvalho Chehab nf_conntrack_frag6_low_thresh is reached. 5613df433fSMauro Carvalho Chehab 5713df433fSMauro Carvalho Chehabnf_conntrack_frag6_low_thresh - INTEGER 5813df433fSMauro Carvalho Chehab default 196608 5913df433fSMauro Carvalho Chehab 6013df433fSMauro Carvalho Chehab See nf_conntrack_frag6_low_thresh 6113df433fSMauro Carvalho Chehab 6213df433fSMauro Carvalho Chehabnf_conntrack_frag6_timeout - INTEGER (seconds) 6313df433fSMauro Carvalho Chehab default 60 6413df433fSMauro Carvalho Chehab 6513df433fSMauro Carvalho Chehab Time to keep an IPv6 fragment in memory. 6613df433fSMauro Carvalho Chehab 6713df433fSMauro Carvalho Chehabnf_conntrack_generic_timeout - INTEGER (seconds) 6813df433fSMauro Carvalho Chehab default 600 6913df433fSMauro Carvalho Chehab 7013df433fSMauro Carvalho Chehab Default for generic timeout. This refers to layer 4 unknown/unsupported 7113df433fSMauro Carvalho Chehab protocols. 7213df433fSMauro Carvalho Chehab 7313df433fSMauro Carvalho Chehabnf_conntrack_icmp_timeout - INTEGER (seconds) 7413df433fSMauro Carvalho Chehab default 30 7513df433fSMauro Carvalho Chehab 7613df433fSMauro Carvalho Chehab Default for ICMP timeout. 7713df433fSMauro Carvalho Chehab 7813df433fSMauro Carvalho Chehabnf_conntrack_icmpv6_timeout - INTEGER (seconds) 7913df433fSMauro Carvalho Chehab default 30 8013df433fSMauro Carvalho Chehab 8113df433fSMauro Carvalho Chehab Default for ICMP6 timeout. 8213df433fSMauro Carvalho Chehab 8313df433fSMauro Carvalho Chehabnf_conntrack_log_invalid - INTEGER 8413df433fSMauro Carvalho Chehab - 0 - disable (default) 8513df433fSMauro Carvalho Chehab - 1 - log ICMP packets 8613df433fSMauro Carvalho Chehab - 6 - log TCP packets 8713df433fSMauro Carvalho Chehab - 17 - log UDP packets 8813df433fSMauro Carvalho Chehab - 33 - log DCCP packets 8913df433fSMauro Carvalho Chehab - 41 - log ICMPv6 packets 9013df433fSMauro Carvalho Chehab - 136 - log UDPLITE packets 9113df433fSMauro Carvalho Chehab - 255 - log packets of any protocol 9213df433fSMauro Carvalho Chehab 9313df433fSMauro Carvalho Chehab Log invalid packets of a type specified by value. 9413df433fSMauro Carvalho Chehab 9513df433fSMauro Carvalho Chehabnf_conntrack_max - INTEGER 96d532bcd0SFlorian Westphal Maximum number of allowed connection tracking entries. This value is set 97d532bcd0SFlorian Westphal to nf_conntrack_buckets by default. 98d532bcd0SFlorian Westphal Note that connection tracking entries are added to the table twice -- once 99d532bcd0SFlorian Westphal for the original direction and once for the reply direction (i.e., with 100d532bcd0SFlorian Westphal the reversed address). This means that with default settings a maxed-out 101d532bcd0SFlorian Westphal table will have a average hash chain length of 2, not 1. 10213df433fSMauro Carvalho Chehab 10313df433fSMauro Carvalho Chehabnf_conntrack_tcp_be_liberal - BOOLEAN 10413df433fSMauro Carvalho Chehab - 0 - disabled (default) 10513df433fSMauro Carvalho Chehab - not 0 - enabled 10613df433fSMauro Carvalho Chehab 10713df433fSMauro Carvalho Chehab Be conservative in what you do, be liberal in what you accept from others. 10813df433fSMauro Carvalho Chehab If it's non-zero, we mark only out of window RST segments as INVALID. 10913df433fSMauro Carvalho Chehab 1101da4cd82SAli Abdallahnf_conntrack_tcp_ignore_invalid_rst - BOOLEAN 1111da4cd82SAli Abdallah - 0 - disabled (default) 1121da4cd82SAli Abdallah - 1 - enabled 1131da4cd82SAli Abdallah 1141da4cd82SAli Abdallah If it's 1, we don't mark out of window RST segments as INVALID. 1151da4cd82SAli Abdallah 11613df433fSMauro Carvalho Chehabnf_conntrack_tcp_loose - BOOLEAN 11713df433fSMauro Carvalho Chehab - 0 - disabled 11813df433fSMauro Carvalho Chehab - not 0 - enabled (default) 11913df433fSMauro Carvalho Chehab 12013df433fSMauro Carvalho Chehab If it is set to zero, we disable picking up already established 12113df433fSMauro Carvalho Chehab connections. 12213df433fSMauro Carvalho Chehab 12313df433fSMauro Carvalho Chehabnf_conntrack_tcp_max_retrans - INTEGER 12413df433fSMauro Carvalho Chehab default 3 12513df433fSMauro Carvalho Chehab 12613df433fSMauro Carvalho Chehab Maximum number of packets that can be retransmitted without 12713df433fSMauro Carvalho Chehab received an (acceptable) ACK from the destination. If this number 12813df433fSMauro Carvalho Chehab is reached, a shorter timer will be started. 12913df433fSMauro Carvalho Chehab 13013df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_close - INTEGER (seconds) 13113df433fSMauro Carvalho Chehab default 10 13213df433fSMauro Carvalho Chehab 13313df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_close_wait - INTEGER (seconds) 13413df433fSMauro Carvalho Chehab default 60 13513df433fSMauro Carvalho Chehab 13613df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_established - INTEGER (seconds) 13713df433fSMauro Carvalho Chehab default 432000 (5 days) 13813df433fSMauro Carvalho Chehab 13913df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds) 14013df433fSMauro Carvalho Chehab default 120 14113df433fSMauro Carvalho Chehab 14213df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_last_ack - INTEGER (seconds) 14313df433fSMauro Carvalho Chehab default 30 14413df433fSMauro Carvalho Chehab 14513df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds) 14613df433fSMauro Carvalho Chehab default 300 14713df433fSMauro Carvalho Chehab 14813df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds) 14913df433fSMauro Carvalho Chehab default 60 15013df433fSMauro Carvalho Chehab 15113df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds) 15213df433fSMauro Carvalho Chehab default 120 15313df433fSMauro Carvalho Chehab 15413df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_time_wait - INTEGER (seconds) 15513df433fSMauro Carvalho Chehab default 120 15613df433fSMauro Carvalho Chehab 15713df433fSMauro Carvalho Chehabnf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds) 15813df433fSMauro Carvalho Chehab default 300 15913df433fSMauro Carvalho Chehab 16013df433fSMauro Carvalho Chehabnf_conntrack_timestamp - BOOLEAN 16113df433fSMauro Carvalho Chehab - 0 - disabled (default) 16213df433fSMauro Carvalho Chehab - not 0 - enabled 16313df433fSMauro Carvalho Chehab 16413df433fSMauro Carvalho Chehab Enable connection tracking flow timestamping. 16513df433fSMauro Carvalho Chehab 166f9645abeSSriram Yagnaramannf_conntrack_sctp_timeout_closed - INTEGER (seconds) 167f9645abeSSriram Yagnaraman default 10 168f9645abeSSriram Yagnaraman 169f9645abeSSriram Yagnaramannf_conntrack_sctp_timeout_cookie_wait - INTEGER (seconds) 170f9645abeSSriram Yagnaraman default 3 171f9645abeSSriram Yagnaraman 172f9645abeSSriram Yagnaramannf_conntrack_sctp_timeout_cookie_echoed - INTEGER (seconds) 173f9645abeSSriram Yagnaraman default 3 174f9645abeSSriram Yagnaraman 175f9645abeSSriram Yagnaramannf_conntrack_sctp_timeout_established - INTEGER (seconds) 176a44b7651SSriram Yagnaraman default 210 177a44b7651SSriram Yagnaraman 178a44b7651SSriram Yagnaraman Default is set to (hb_interval * path_max_retrans + rto_max) 179f9645abeSSriram Yagnaraman 180f9645abeSSriram Yagnaramannf_conntrack_sctp_timeout_shutdown_sent - INTEGER (seconds) 181*9bfab6d2SXin Long default 3 182f9645abeSSriram Yagnaraman 183f9645abeSSriram Yagnaramannf_conntrack_sctp_timeout_shutdown_recd - INTEGER (seconds) 184*9bfab6d2SXin Long default 3 185f9645abeSSriram Yagnaraman 186f9645abeSSriram Yagnaramannf_conntrack_sctp_timeout_shutdown_ack_sent - INTEGER (seconds) 187f9645abeSSriram Yagnaraman default 3 188f9645abeSSriram Yagnaraman 189f9645abeSSriram Yagnaramannf_conntrack_sctp_timeout_heartbeat_sent - INTEGER (seconds) 190f9645abeSSriram Yagnaraman default 30 191f9645abeSSriram Yagnaraman 192f9645abeSSriram Yagnaraman This timeout is used to setup conntrack entry on secondary paths. 193f9645abeSSriram Yagnaraman Default is set to hb_interval. 194f9645abeSSriram Yagnaraman 19513df433fSMauro Carvalho Chehabnf_conntrack_udp_timeout - INTEGER (seconds) 19613df433fSMauro Carvalho Chehab default 30 19713df433fSMauro Carvalho Chehab 19813df433fSMauro Carvalho Chehabnf_conntrack_udp_timeout_stream - INTEGER (seconds) 19913df433fSMauro Carvalho Chehab default 120 20013df433fSMauro Carvalho Chehab 20113df433fSMauro Carvalho Chehab This extended timeout will be used in case there is an UDP stream 20213df433fSMauro Carvalho Chehab detected. 20313df433fSMauro Carvalho Chehab 20413df433fSMauro Carvalho Chehabnf_conntrack_gre_timeout - INTEGER (seconds) 20513df433fSMauro Carvalho Chehab default 30 20613df433fSMauro Carvalho Chehab 20713df433fSMauro Carvalho Chehabnf_conntrack_gre_timeout_stream - INTEGER (seconds) 20813df433fSMauro Carvalho Chehab default 180 20913df433fSMauro Carvalho Chehab 21013df433fSMauro Carvalho Chehab This extended timeout will be used in case there is an GRE stream 21113df433fSMauro Carvalho Chehab detected. 2123078d964SOz Shlomo 2137a3f5b0dSRyoga Saitonf_hooks_lwtunnel - BOOLEAN 2147a3f5b0dSRyoga Saito - 0 - disabled (default) 2157a3f5b0dSRyoga Saito - not 0 - enabled 2167a3f5b0dSRyoga Saito 2177a3f5b0dSRyoga Saito If this option is enabled, the lightweight tunnel netfilter hooks are 2187a3f5b0dSRyoga Saito enabled. This option cannot be disabled once it is enabled. 2197a3f5b0dSRyoga Saito 2203078d964SOz Shlomonf_flowtable_tcp_timeout - INTEGER (seconds) 2213078d964SOz Shlomo default 30 2223078d964SOz Shlomo 2233078d964SOz Shlomo Control offload timeout for tcp connections. 2243078d964SOz Shlomo TCP connections may be offloaded from nf conntrack to nf flow table. 2253078d964SOz Shlomo Once aged, the connection is returned to nf conntrack with tcp pickup timeout. 2263078d964SOz Shlomo 2273078d964SOz Shlomonf_flowtable_udp_timeout - INTEGER (seconds) 2283078d964SOz Shlomo default 30 2293078d964SOz Shlomo 2303078d964SOz Shlomo Control offload timeout for udp connections. 2313078d964SOz Shlomo UDP connections may be offloaded from nf conntrack to nf flow table. 2323078d964SOz Shlomo Once aged, the connection is returned to nf conntrack with udp pickup timeout. 233