About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Documentation / networking / nf_conntrack-sysctl.txt




Custom Search

Based on kernel version 3.16. Page generated on 2014-08-06 21:40 EST.

1	/proc/sys/net/netfilter/nf_conntrack_* Variables:
2	
3	nf_conntrack_acct - BOOLEAN
4		0 - disabled (default)
5		not 0 - enabled
6	
7		Enable connection tracking flow accounting. 64-bit byte and packet
8		counters per flow are added.
9	
10	nf_conntrack_buckets - INTEGER (read-only)
11		Size of hash table. If not specified as parameter during module
12		loading, the default size is calculated by dividing total memory
13		by 16384 to determine the number of buckets but the hash table will
14		never have fewer than 32 or more than 16384 buckets.
15	
16	nf_conntrack_checksum - BOOLEAN
17		0 - disabled
18		not 0 - enabled (default)
19	
20		Verify checksum of incoming packets. Packets with bad checksums are
21		in INVALID state. If this is enabled, such packets will not be
22		considered for connection tracking.
23	
24	nf_conntrack_count - INTEGER (read-only)
25		Number of currently allocated flow entries.
26	
27	nf_conntrack_events - BOOLEAN
28		0 - disabled
29		not 0 - enabled (default)
30	
31		If this option is enabled, the connection tracking code will
32		provide userspace with connection tracking events via ctnetlink.
33	
34	nf_conntrack_events_retry_timeout - INTEGER (seconds)
35		default 15
36	
37		This option is only relevant when "reliable connection tracking
38		events" are used.  Normally, ctnetlink is "lossy", that is,
39		events are normally dropped when userspace listeners can't keep up.
40	
41		Userspace can request "reliable event mode".  When this mode is
42		active, the conntrack will only be destroyed after the event was
43		delivered.  If event delivery fails, the kernel periodically
44		re-tries to send the event to userspace.
45	
46		This is the maximum interval the kernel should use when re-trying
47		to deliver the destroy event.
48	
49		A higher number means there will be fewer delivery retries and it
50		will take longer for a backlog to be processed.
51	
52	nf_conntrack_expect_max - INTEGER
53		Maximum size of expectation table.  Default value is
54		nf_conntrack_buckets / 256. Minimum is 1.
55	
56	nf_conntrack_frag6_high_thresh - INTEGER
57		default 262144
58	
59		Maximum memory used to reassemble IPv6 fragments.  When
60		nf_conntrack_frag6_high_thresh bytes of memory is allocated for this
61		purpose, the fragment handler will toss packets until
62		nf_conntrack_frag6_low_thresh is reached.
63	
64	nf_conntrack_frag6_low_thresh - INTEGER
65		default 196608
66	
67		See nf_conntrack_frag6_low_thresh
68	
69	nf_conntrack_frag6_timeout - INTEGER (seconds)
70		default 60
71	
72		Time to keep an IPv6 fragment in memory.
73	
74	nf_conntrack_generic_timeout - INTEGER (seconds)
75		default 600
76	
77		Default for generic timeout.  This refers to layer 4 unknown/unsupported
78		protocols.
79	
80	nf_conntrack_helper - BOOLEAN
81		0 - disabled
82		not 0 - enabled (default)
83	
84		Enable automatic conntrack helper assignment.
85	
86	nf_conntrack_icmp_timeout - INTEGER (seconds)
87		default 30
88	
89		Default for ICMP timeout.
90	
91	nf_conntrack_icmpv6_timeout - INTEGER (seconds)
92		default 30
93	
94		Default for ICMP6 timeout.
95	
96	nf_conntrack_log_invalid - INTEGER
97		0   - disable (default)
98		1   - log ICMP packets
99		6   - log TCP packets
100		17  - log UDP packets
101		33  - log DCCP packets
102		41  - log ICMPv6 packets
103		136 - log UDPLITE packets
104		255 - log packets of any protocol
105	
106		Log invalid packets of a type specified by value.
107	
108	nf_conntrack_max - INTEGER
109		Size of connection tracking table.  Default value is
110		nf_conntrack_buckets value * 4.
111	
112	nf_conntrack_tcp_be_liberal - BOOLEAN
113		0 - disabled (default)
114		not 0 - enabled
115	
116		Be conservative in what you do, be liberal in what you accept from others.
117		If it's non-zero, we mark only out of window RST segments as INVALID.
118	
119	nf_conntrack_tcp_loose - BOOLEAN
120		0 - disabled
121		not 0 - enabled (default)
122	
123		If it is set to zero, we disable picking up already established
124		connections.
125	
126	nf_conntrack_tcp_max_retrans - INTEGER
127		default 3
128	
129		Maximum number of packets that can be retransmitted without
130		received an (acceptable) ACK from the destination. If this number
131		is reached, a shorter timer will be started.
132	
133	nf_conntrack_tcp_timeout_close - INTEGER (seconds)
134		default 10
135	
136	nf_conntrack_tcp_timeout_close_wait - INTEGER (seconds)
137		default 60
138	
139	nf_conntrack_tcp_timeout_established - INTEGER (seconds)
140		default 432000 (5 days)
141	
142	nf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds)
143		default 120
144	
145	nf_conntrack_tcp_timeout_last_ack - INTEGER (seconds)
146		default 30
147	
148	nf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds)
149		default 300
150	
151	nf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds)
152		default 60
153	
154	nf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds)
155		default 120
156	
157	nf_conntrack_tcp_timeout_time_wait - INTEGER (seconds)
158		default 120
159	
160	nf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds)
161		default 300
162	
163	nf_conntrack_timestamp - BOOLEAN
164		0 - disabled (default)
165		not 0 - enabled
166	
167		Enable connection tracking flow timestamping.
168	
169	nf_conntrack_udp_timeout - INTEGER (seconds)
170		default 30
171	
172	nf_conntrack_udp_timeout_stream2 - INTEGER (seconds)
173		default 180
174	
175		This extended timeout will be used in case there is an UDP stream
176		detected.
Hide Line Numbers
About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Information is copyright its respective author. All material is available from the Linux Kernel Source distributed under a GPL License. This page is provided as a free service by mjmwired.net.