Documentation/networking/nf_conntrack-sysctl.rst

*4882a593Smuzhiyun.. SPDX-License-Identifier: GPL-2.0
*4882a593Smuzhiyun
*4882a593Smuzhiyun===================================
*4882a593SmuzhiyunNetfilter Conntrack Sysfs variables
*4882a593Smuzhiyun===================================
*4882a593Smuzhiyun
*4882a593Smuzhiyun/proc/sys/net/netfilter/nf_conntrack_* Variables:
*4882a593Smuzhiyun=================================================
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_acct - BOOLEAN
*4882a593Smuzhiyun	- 0 - disabled (default)
*4882a593Smuzhiyun	- not 0 - enabled
*4882a593Smuzhiyun
*4882a593Smuzhiyun	Enable connection tracking flow accounting. 64-bit byte and packet
*4882a593Smuzhiyun	counters per flow are added.
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_buckets - INTEGER
*4882a593Smuzhiyun	Size of hash table. If not specified as parameter during module
*4882a593Smuzhiyun	loading, the default size is calculated by dividing total memory
*4882a593Smuzhiyun	by 16384 to determine the number of buckets but the hash table will
*4882a593Smuzhiyun	never have fewer than 32 and limited to 16384 buckets. For systems
*4882a593Smuzhiyun	with more than 4GB of memory it will be 65536 buckets.
*4882a593Smuzhiyun	This sysctl is only writeable in the initial net namespace.
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_checksum - BOOLEAN
*4882a593Smuzhiyun	- 0 - disabled
*4882a593Smuzhiyun	- not 0 - enabled (default)
*4882a593Smuzhiyun
*4882a593Smuzhiyun	Verify checksum of incoming packets. Packets with bad checksums are
*4882a593Smuzhiyun	in INVALID state. If this is enabled, such packets will not be
*4882a593Smuzhiyun	considered for connection tracking.
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_count - INTEGER (read-only)
*4882a593Smuzhiyun	Number of currently allocated flow entries.
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_events - BOOLEAN
*4882a593Smuzhiyun	- 0 - disabled
*4882a593Smuzhiyun	- not 0 - enabled (default)
*4882a593Smuzhiyun
*4882a593Smuzhiyun	If this option is enabled, the connection tracking code will
*4882a593Smuzhiyun	provide userspace with connection tracking events via ctnetlink.
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_expect_max - INTEGER
*4882a593Smuzhiyun	Maximum size of expectation table.  Default value is
*4882a593Smuzhiyun	nf_conntrack_buckets / 256. Minimum is 1.
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_frag6_high_thresh - INTEGER
*4882a593Smuzhiyun	default 262144
*4882a593Smuzhiyun
*4882a593Smuzhiyun	Maximum memory used to reassemble IPv6 fragments.  When
*4882a593Smuzhiyun	nf_conntrack_frag6_high_thresh bytes of memory is allocated for this
*4882a593Smuzhiyun	purpose, the fragment handler will toss packets until
*4882a593Smuzhiyun	nf_conntrack_frag6_low_thresh is reached.
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_frag6_low_thresh - INTEGER
*4882a593Smuzhiyun	default 196608
*4882a593Smuzhiyun
*4882a593Smuzhiyun	See nf_conntrack_frag6_low_thresh
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_frag6_timeout - INTEGER (seconds)
*4882a593Smuzhiyun	default 60
*4882a593Smuzhiyun
*4882a593Smuzhiyun	Time to keep an IPv6 fragment in memory.
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_generic_timeout - INTEGER (seconds)
*4882a593Smuzhiyun	default 600
*4882a593Smuzhiyun
*4882a593Smuzhiyun	Default for generic timeout.  This refers to layer 4 unknown/unsupported
*4882a593Smuzhiyun	protocols.
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_helper - BOOLEAN
*4882a593Smuzhiyun	- 0 - disabled (default)
*4882a593Smuzhiyun	- not 0 - enabled
*4882a593Smuzhiyun
*4882a593Smuzhiyun	Enable automatic conntrack helper assignment.
*4882a593Smuzhiyun	If disabled it is required to set up iptables rules to assign
*4882a593Smuzhiyun	helpers to connections.  See the CT target description in the
*4882a593Smuzhiyun	iptables-extensions(8) man page for further information.
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_icmp_timeout - INTEGER (seconds)
*4882a593Smuzhiyun	default 30
*4882a593Smuzhiyun
*4882a593Smuzhiyun	Default for ICMP timeout.
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_icmpv6_timeout - INTEGER (seconds)
*4882a593Smuzhiyun	default 30
*4882a593Smuzhiyun
*4882a593Smuzhiyun	Default for ICMP6 timeout.
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_log_invalid - INTEGER
*4882a593Smuzhiyun	- 0   - disable (default)
*4882a593Smuzhiyun	- 1   - log ICMP packets
*4882a593Smuzhiyun	- 6   - log TCP packets
*4882a593Smuzhiyun	- 17  - log UDP packets
*4882a593Smuzhiyun	- 33  - log DCCP packets
*4882a593Smuzhiyun	- 41  - log ICMPv6 packets
*4882a593Smuzhiyun	- 136 - log UDPLITE packets
*4882a593Smuzhiyun	- 255 - log packets of any protocol
*4882a593Smuzhiyun
*4882a593Smuzhiyun	Log invalid packets of a type specified by value.
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_max - INTEGER
*4882a593Smuzhiyun	Size of connection tracking table.  Default value is
*4882a593Smuzhiyun	nf_conntrack_buckets value * 4.
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_tcp_be_liberal - BOOLEAN
*4882a593Smuzhiyun	- 0 - disabled (default)
*4882a593Smuzhiyun	- not 0 - enabled
*4882a593Smuzhiyun
*4882a593Smuzhiyun	Be conservative in what you do, be liberal in what you accept from others.
*4882a593Smuzhiyun	If it's non-zero, we mark only out of window RST segments as INVALID.
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_tcp_loose - BOOLEAN
*4882a593Smuzhiyun	- 0 - disabled
*4882a593Smuzhiyun	- not 0 - enabled (default)
*4882a593Smuzhiyun
*4882a593Smuzhiyun	If it is set to zero, we disable picking up already established
*4882a593Smuzhiyun	connections.
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_tcp_max_retrans - INTEGER
*4882a593Smuzhiyun	default 3
*4882a593Smuzhiyun
*4882a593Smuzhiyun	Maximum number of packets that can be retransmitted without
*4882a593Smuzhiyun	received an (acceptable) ACK from the destination. If this number
*4882a593Smuzhiyun	is reached, a shorter timer will be started.
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_tcp_timeout_close - INTEGER (seconds)
*4882a593Smuzhiyun	default 10
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_tcp_timeout_close_wait - INTEGER (seconds)
*4882a593Smuzhiyun	default 60
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_tcp_timeout_established - INTEGER (seconds)
*4882a593Smuzhiyun	default 432000 (5 days)
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds)
*4882a593Smuzhiyun	default 120
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_tcp_timeout_last_ack - INTEGER (seconds)
*4882a593Smuzhiyun	default 30
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds)
*4882a593Smuzhiyun	default 300
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds)
*4882a593Smuzhiyun	default 60
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds)
*4882a593Smuzhiyun	default 120
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_tcp_timeout_time_wait - INTEGER (seconds)
*4882a593Smuzhiyun	default 120
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds)
*4882a593Smuzhiyun	default 300
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_timestamp - BOOLEAN
*4882a593Smuzhiyun	- 0 - disabled (default)
*4882a593Smuzhiyun	- not 0 - enabled
*4882a593Smuzhiyun
*4882a593Smuzhiyun	Enable connection tracking flow timestamping.
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_udp_timeout - INTEGER (seconds)
*4882a593Smuzhiyun	default 30
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_udp_timeout_stream - INTEGER (seconds)
*4882a593Smuzhiyun	default 120
*4882a593Smuzhiyun
*4882a593Smuzhiyun	This extended timeout will be used in case there is an UDP stream
*4882a593Smuzhiyun	detected.
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_gre_timeout - INTEGER (seconds)
*4882a593Smuzhiyun	default 30
*4882a593Smuzhiyun
*4882a593Smuzhiyunnf_conntrack_gre_timeout_stream - INTEGER (seconds)
*4882a593Smuzhiyun	default 180
*4882a593Smuzhiyun
*4882a593Smuzhiyun	This extended timeout will be used in case there is an GRE stream
*4882a593Smuzhiyun	detected.