nf_conntrack-sysctl.rst 6.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231
  1. .. SPDX-License-Identifier: GPL-2.0
  2. ===================================
  3. Netfilter Conntrack Sysfs variables
  4. ===================================
  5. /proc/sys/net/netfilter/nf_conntrack_* Variables:
  6. =================================================
  7. nf_conntrack_acct - BOOLEAN
  8. - 0 - disabled (default)
  9. - not 0 - enabled
  10. Enable connection tracking flow accounting. 64-bit byte and packet
  11. counters per flow are added.
  12. nf_conntrack_buckets - INTEGER
  13. Size of hash table. If not specified as parameter during module
  14. loading, the default size is calculated by dividing total memory
  15. by 16384 to determine the number of buckets. The hash table will
  16. never have fewer than 1024 and never more than 262144 buckets.
  17. This sysctl is only writeable in the initial net namespace.
  18. nf_conntrack_checksum - BOOLEAN
  19. - 0 - disabled
  20. - not 0 - enabled (default)
  21. Verify checksum of incoming packets. Packets with bad checksums are
  22. in INVALID state. If this is enabled, such packets will not be
  23. considered for connection tracking.
  24. nf_conntrack_count - INTEGER (read-only)
  25. Number of currently allocated flow entries.
  26. nf_conntrack_events - BOOLEAN
  27. - 0 - disabled
  28. - 1 - enabled
  29. - 2 - auto (default)
  30. If this option is enabled, the connection tracking code will
  31. provide userspace with connection tracking events via ctnetlink.
  32. The default allocates the extension if a userspace program is
  33. listening to ctnetlink events.
  34. nf_conntrack_expect_max - INTEGER
  35. Maximum size of expectation table. Default value is
  36. nf_conntrack_buckets / 256. Minimum is 1.
  37. nf_conntrack_frag6_high_thresh - INTEGER
  38. default 262144
  39. Maximum memory used to reassemble IPv6 fragments. When
  40. nf_conntrack_frag6_high_thresh bytes of memory is allocated for this
  41. purpose, the fragment handler will toss packets until
  42. nf_conntrack_frag6_low_thresh is reached.
  43. nf_conntrack_frag6_low_thresh - INTEGER
  44. default 196608
  45. See nf_conntrack_frag6_low_thresh
  46. nf_conntrack_frag6_timeout - INTEGER (seconds)
  47. default 60
  48. Time to keep an IPv6 fragment in memory.
  49. nf_conntrack_generic_timeout - INTEGER (seconds)
  50. default 600
  51. Default for generic timeout. This refers to layer 4 unknown/unsupported
  52. protocols.
  53. nf_conntrack_icmp_timeout - INTEGER (seconds)
  54. default 30
  55. Default for ICMP timeout.
  56. nf_conntrack_icmpv6_timeout - INTEGER (seconds)
  57. default 30
  58. Default for ICMP6 timeout.
  59. nf_conntrack_log_invalid - INTEGER
  60. - 0 - disable (default)
  61. - 1 - log ICMP packets
  62. - 6 - log TCP packets
  63. - 17 - log UDP packets
  64. - 41 - log ICMPv6 packets
  65. - 136 - log UDPLITE packets
  66. - 255 - log packets of any protocol
  67. Log invalid packets of a type specified by value.
  68. nf_conntrack_max - INTEGER
  69. Maximum number of allowed connection tracking entries. This value is set
  70. to nf_conntrack_buckets by default.
  71. Note that connection tracking entries are added to the table twice -- once
  72. for the original direction and once for the reply direction (i.e., with
  73. the reversed address). This means that with default settings a maxed-out
  74. table will have a average hash chain length of 2, not 1.
  75. nf_conntrack_tcp_be_liberal - BOOLEAN
  76. - 0 - disabled (default)
  77. - not 0 - enabled
  78. Be conservative in what you do, be liberal in what you accept from others.
  79. If it's non-zero, we mark only out of window RST segments as INVALID.
  80. nf_conntrack_tcp_ignore_invalid_rst - BOOLEAN
  81. - 0 - disabled (default)
  82. - 1 - enabled
  83. If it's 1, we don't mark out of window RST segments as INVALID.
  84. nf_conntrack_tcp_loose - BOOLEAN
  85. - 0 - disabled
  86. - not 0 - enabled (default)
  87. If it is set to zero, we disable picking up already established
  88. connections.
  89. nf_conntrack_tcp_max_retrans - INTEGER
  90. default 3
  91. Maximum number of packets that can be retransmitted without
  92. received an (acceptable) ACK from the destination. If this number
  93. is reached, a shorter timer will be started.
  94. nf_conntrack_tcp_timeout_close - INTEGER (seconds)
  95. default 10
  96. nf_conntrack_tcp_timeout_close_wait - INTEGER (seconds)
  97. default 60
  98. nf_conntrack_tcp_timeout_established - INTEGER (seconds)
  99. default 432000 (5 days)
  100. nf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds)
  101. default 120
  102. nf_conntrack_tcp_timeout_last_ack - INTEGER (seconds)
  103. default 30
  104. nf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds)
  105. default 300
  106. nf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds)
  107. default 60
  108. nf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds)
  109. default 120
  110. nf_conntrack_tcp_timeout_time_wait - INTEGER (seconds)
  111. default 120
  112. nf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds)
  113. default 300
  114. nf_conntrack_timestamp - BOOLEAN
  115. - 0 - disabled (default)
  116. - not 0 - enabled
  117. Enable connection tracking flow timestamping.
  118. nf_conntrack_sctp_timeout_closed - INTEGER (seconds)
  119. default 10
  120. nf_conntrack_sctp_timeout_cookie_wait - INTEGER (seconds)
  121. default 3
  122. nf_conntrack_sctp_timeout_cookie_echoed - INTEGER (seconds)
  123. default 3
  124. nf_conntrack_sctp_timeout_established - INTEGER (seconds)
  125. default 210
  126. Default is set to (hb_interval * path_max_retrans + rto_max)
  127. nf_conntrack_sctp_timeout_shutdown_sent - INTEGER (seconds)
  128. default 3
  129. nf_conntrack_sctp_timeout_shutdown_recd - INTEGER (seconds)
  130. default 3
  131. nf_conntrack_sctp_timeout_shutdown_ack_sent - INTEGER (seconds)
  132. default 3
  133. nf_conntrack_sctp_timeout_heartbeat_sent - INTEGER (seconds)
  134. default 30
  135. This timeout is used to setup conntrack entry on secondary paths.
  136. Default is set to hb_interval.
  137. nf_conntrack_udp_timeout - INTEGER (seconds)
  138. default 30
  139. nf_conntrack_udp_timeout_stream - INTEGER (seconds)
  140. default 120
  141. This extended timeout will be used in case there is an UDP stream
  142. detected.
  143. nf_conntrack_gre_timeout - INTEGER (seconds)
  144. default 30
  145. nf_conntrack_gre_timeout_stream - INTEGER (seconds)
  146. default 180
  147. This extended timeout will be used in case there is an GRE stream
  148. detected.
  149. nf_hooks_lwtunnel - BOOLEAN
  150. - 0 - disabled (default)
  151. - not 0 - enabled
  152. If this option is enabled, the lightweight tunnel netfilter hooks are
  153. enabled. This option cannot be disabled once it is enabled.
  154. nf_flowtable_tcp_timeout - INTEGER (seconds)
  155. default 30
  156. Control offload timeout for tcp connections.
  157. TCP connections may be offloaded from nf conntrack to nf flow table.
  158. Once aged, the connection is returned to nf conntrack.
  159. nf_flowtable_udp_timeout - INTEGER (seconds)
  160. default 30
  161. Control offload timeout for udp connections.
  162. UDP connections may be offloaded from nf conntrack to nf flow table.
  163. Once aged, the connection is returned to nf conntrack.