About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Documentation / networking / nf_conntrack-sysctl.txt




Custom Search

Based on kernel version 4.1. Page generated on 2015-06-28 12:13 EST.

1	/proc/sys/net/netfilter/nf_conntrack_* Variables:
2	
3	nf_conntrack_acct - BOOLEAN
4		0 - disabled (default)
5		not 0 - enabled
6	
7		Enable connection tracking flow accounting. 64-bit byte and packet
8		counters per flow are added.
9	
10	nf_conntrack_buckets - INTEGER (read-only)
11		Size of hash table. If not specified as parameter during module
12		loading, the default size is calculated by dividing total memory
13		by 16384 to determine the number of buckets but the hash table will
14		never have fewer than 32 and limited to 16384 buckets. For systems
15		with more than 4GB of memory it will be 65536 buckets.
16	
17	nf_conntrack_checksum - BOOLEAN
18		0 - disabled
19		not 0 - enabled (default)
20	
21		Verify checksum of incoming packets. Packets with bad checksums are
22		in INVALID state. If this is enabled, such packets will not be
23		considered for connection tracking.
24	
25	nf_conntrack_count - INTEGER (read-only)
26		Number of currently allocated flow entries.
27	
28	nf_conntrack_events - BOOLEAN
29		0 - disabled
30		not 0 - enabled (default)
31	
32		If this option is enabled, the connection tracking code will
33		provide userspace with connection tracking events via ctnetlink.
34	
35	nf_conntrack_events_retry_timeout - INTEGER (seconds)
36		default 15
37	
38		This option is only relevant when "reliable connection tracking
39		events" are used.  Normally, ctnetlink is "lossy", that is,
40		events are normally dropped when userspace listeners can't keep up.
41	
42		Userspace can request "reliable event mode".  When this mode is
43		active, the conntrack will only be destroyed after the event was
44		delivered.  If event delivery fails, the kernel periodically
45		re-tries to send the event to userspace.
46	
47		This is the maximum interval the kernel should use when re-trying
48		to deliver the destroy event.
49	
50		A higher number means there will be fewer delivery retries and it
51		will take longer for a backlog to be processed.
52	
53	nf_conntrack_expect_max - INTEGER
54		Maximum size of expectation table.  Default value is
55		nf_conntrack_buckets / 256. Minimum is 1.
56	
57	nf_conntrack_frag6_high_thresh - INTEGER
58		default 262144
59	
60		Maximum memory used to reassemble IPv6 fragments.  When
61		nf_conntrack_frag6_high_thresh bytes of memory is allocated for this
62		purpose, the fragment handler will toss packets until
63		nf_conntrack_frag6_low_thresh is reached.
64	
65	nf_conntrack_frag6_low_thresh - INTEGER
66		default 196608
67	
68		See nf_conntrack_frag6_low_thresh
69	
70	nf_conntrack_frag6_timeout - INTEGER (seconds)
71		default 60
72	
73		Time to keep an IPv6 fragment in memory.
74	
75	nf_conntrack_generic_timeout - INTEGER (seconds)
76		default 600
77	
78		Default for generic timeout.  This refers to layer 4 unknown/unsupported
79		protocols.
80	
81	nf_conntrack_helper - BOOLEAN
82		0 - disabled
83		not 0 - enabled (default)
84	
85		Enable automatic conntrack helper assignment.
86	
87	nf_conntrack_icmp_timeout - INTEGER (seconds)
88		default 30
89	
90		Default for ICMP timeout.
91	
92	nf_conntrack_icmpv6_timeout - INTEGER (seconds)
93		default 30
94	
95		Default for ICMP6 timeout.
96	
97	nf_conntrack_log_invalid - INTEGER
98		0   - disable (default)
99		1   - log ICMP packets
100		6   - log TCP packets
101		17  - log UDP packets
102		33  - log DCCP packets
103		41  - log ICMPv6 packets
104		136 - log UDPLITE packets
105		255 - log packets of any protocol
106	
107		Log invalid packets of a type specified by value.
108	
109	nf_conntrack_max - INTEGER
110		Size of connection tracking table.  Default value is
111		nf_conntrack_buckets value * 4.
112	
113	nf_conntrack_tcp_be_liberal - BOOLEAN
114		0 - disabled (default)
115		not 0 - enabled
116	
117		Be conservative in what you do, be liberal in what you accept from others.
118		If it's non-zero, we mark only out of window RST segments as INVALID.
119	
120	nf_conntrack_tcp_loose - BOOLEAN
121		0 - disabled
122		not 0 - enabled (default)
123	
124		If it is set to zero, we disable picking up already established
125		connections.
126	
127	nf_conntrack_tcp_max_retrans - INTEGER
128		default 3
129	
130		Maximum number of packets that can be retransmitted without
131		received an (acceptable) ACK from the destination. If this number
132		is reached, a shorter timer will be started.
133	
134	nf_conntrack_tcp_timeout_close - INTEGER (seconds)
135		default 10
136	
137	nf_conntrack_tcp_timeout_close_wait - INTEGER (seconds)
138		default 60
139	
140	nf_conntrack_tcp_timeout_established - INTEGER (seconds)
141		default 432000 (5 days)
142	
143	nf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds)
144		default 120
145	
146	nf_conntrack_tcp_timeout_last_ack - INTEGER (seconds)
147		default 30
148	
149	nf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds)
150		default 300
151	
152	nf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds)
153		default 60
154	
155	nf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds)
156		default 120
157	
158	nf_conntrack_tcp_timeout_time_wait - INTEGER (seconds)
159		default 120
160	
161	nf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds)
162		default 300
163	
164	nf_conntrack_timestamp - BOOLEAN
165		0 - disabled (default)
166		not 0 - enabled
167	
168		Enable connection tracking flow timestamping.
169	
170	nf_conntrack_udp_timeout - INTEGER (seconds)
171		default 30
172	
173	nf_conntrack_udp_timeout_stream2 - INTEGER (seconds)
174		default 180
175	
176		This extended timeout will be used in case there is an UDP stream
177		detected.
Hide Line Numbers
About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Information is copyright its respective author. All material is available from the Linux Kernel Source distributed under a GPL License. This page is provided as a free service by mjmwired.net.