Documentation/networking/nf_conntrack-sysctl.rst

0001 .. SPDX-License-Identifier: GPL-2.0
0002
0003 ===================================
0004 Netfilter Conntrack Sysfs variables
0005 ===================================
0006
0007 /proc/sys/net/netfilter/nf_conntrack_* Variables:
0008 =================================================
0009
0010 nf_conntrack_acct - BOOLEAN
0011         - 0 - disabled (default)
0012         - not 0 - enabled
0013
0014         Enable connection tracking flow accounting. 64-bit byte and packet
0015         counters per flow are added.
0016
0017 nf_conntrack_buckets - INTEGER
0018         Size of hash table. If not specified as parameter during module
0019         loading, the default size is calculated by dividing total memory
0020         by 16384 to determine the number of buckets. The hash table will
0021         never have fewer than 1024 and never more than 262144 buckets.
0022         This sysctl is only writeable in the initial net namespace.
0023
0024 nf_conntrack_checksum - BOOLEAN
0025         - 0 - disabled
0026         - not 0 - enabled (default)
0027
0028         Verify checksum of incoming packets. Packets with bad checksums are
0029         in INVALID state. If this is enabled, such packets will not be
0030         considered for connection tracking.
0031
0032 nf_conntrack_count - INTEGER (read-only)
0033         Number of currently allocated flow entries.
0034
0035 nf_conntrack_events - BOOLEAN
0036         - 0 - disabled
0037         - 1 - enabled
0038         - 2 - auto (default)
0039
0040         If this option is enabled, the connection tracking code will
0041         provide userspace with connection tracking events via ctnetlink.
0042         The default allocates the extension if a userspace program is
0043         listening to ctnetlink events.
0044
0045 nf_conntrack_expect_max - INTEGER
0046         Maximum size of expectation table.  Default value is
0047         nf_conntrack_buckets / 256. Minimum is 1.
0048
0049 nf_conntrack_frag6_high_thresh - INTEGER
0050         default 262144
0051
0052         Maximum memory used to reassemble IPv6 fragments.  When
0053         nf_conntrack_frag6_high_thresh bytes of memory is allocated for this
0054         purpose, the fragment handler will toss packets until
0055         nf_conntrack_frag6_low_thresh is reached.
0056
0057 nf_conntrack_frag6_low_thresh - INTEGER
0058         default 196608
0059
0060         See nf_conntrack_frag6_low_thresh
0061
0062 nf_conntrack_frag6_timeout - INTEGER (seconds)
0063         default 60
0064
0065         Time to keep an IPv6 fragment in memory.
0066
0067 nf_conntrack_generic_timeout - INTEGER (seconds)
0068         default 600
0069
0070         Default for generic timeout.  This refers to layer 4 unknown/unsupported
0071         protocols.
0072
0073 nf_conntrack_icmp_timeout - INTEGER (seconds)
0074         default 30
0075
0076         Default for ICMP timeout.
0077
0078 nf_conntrack_icmpv6_timeout - INTEGER (seconds)
0079         default 30
0080
0081         Default for ICMP6 timeout.
0082
0083 nf_conntrack_log_invalid - INTEGER
0084         - 0   - disable (default)
0085         - 1   - log ICMP packets
0086         - 6   - log TCP packets
0087         - 17  - log UDP packets
0088         - 33  - log DCCP packets
0089         - 41  - log ICMPv6 packets
0090         - 136 - log UDPLITE packets
0091         - 255 - log packets of any protocol
0092
0093         Log invalid packets of a type specified by value.
0094
0095 nf_conntrack_max - INTEGER
0096         Maximum number of allowed connection tracking entries. This value is set
0097         to nf_conntrack_buckets by default.
0098         Note that connection tracking entries are added to the table twice -- once
0099         for the original direction and once for the reply direction (i.e., with
0100         the reversed address). This means that with default settings a maxed-out
0101         table will have a average hash chain length of 2, not 1.
0102
0103 nf_conntrack_tcp_be_liberal - BOOLEAN
0104         - 0 - disabled (default)
0105         - not 0 - enabled
0106
0107         Be conservative in what you do, be liberal in what you accept from others.
0108         If it's non-zero, we mark only out of window RST segments as INVALID.
0109
0110 nf_conntrack_tcp_ignore_invalid_rst - BOOLEAN
0111         - 0 - disabled (default)
0112         - 1 - enabled
0113
0114         If it's 1, we don't mark out of window RST segments as INVALID.
0115
0116 nf_conntrack_tcp_loose - BOOLEAN
0117         - 0 - disabled
0118         - not 0 - enabled (default)
0119
0120         If it is set to zero, we disable picking up already established
0121         connections.
0122
0123 nf_conntrack_tcp_max_retrans - INTEGER
0124         default 3
0125
0126         Maximum number of packets that can be retransmitted without
0127         received an (acceptable) ACK from the destination. If this number
0128         is reached, a shorter timer will be started.
0129
0130 nf_conntrack_tcp_timeout_close - INTEGER (seconds)
0131         default 10
0132
0133 nf_conntrack_tcp_timeout_close_wait - INTEGER (seconds)
0134         default 60
0135
0136 nf_conntrack_tcp_timeout_established - INTEGER (seconds)
0137         default 432000 (5 days)
0138
0139 nf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds)
0140         default 120
0141
0142 nf_conntrack_tcp_timeout_last_ack - INTEGER (seconds)
0143         default 30
0144
0145 nf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds)
0146         default 300
0147
0148 nf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds)
0149         default 60
0150
0151 nf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds)
0152         default 120
0153
0154 nf_conntrack_tcp_timeout_time_wait - INTEGER (seconds)
0155         default 120
0156
0157 nf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds)
0158         default 300
0159
0160 nf_conntrack_timestamp - BOOLEAN
0161         - 0 - disabled (default)
0162         - not 0 - enabled
0163
0164         Enable connection tracking flow timestamping.
0165
0166 nf_conntrack_udp_timeout - INTEGER (seconds)
0167         default 30
0168
0169 nf_conntrack_udp_timeout_stream - INTEGER (seconds)
0170         default 120
0171
0172         This extended timeout will be used in case there is an UDP stream
0173         detected.
0174
0175 nf_conntrack_gre_timeout - INTEGER (seconds)
0176         default 30
0177
0178 nf_conntrack_gre_timeout_stream - INTEGER (seconds)
0179         default 180
0180
0181         This extended timeout will be used in case there is an GRE stream
0182         detected.
0183
0184 nf_hooks_lwtunnel - BOOLEAN
0185         - 0 - disabled (default)
0186         - not 0 - enabled
0187
0188         If this option is enabled, the lightweight tunnel netfilter hooks are
0189         enabled. This option cannot be disabled once it is enabled.
0190
0191 nf_flowtable_tcp_timeout - INTEGER (seconds)
0192         default 30
0193
0194         Control offload timeout for tcp connections.
0195         TCP connections may be offloaded from nf conntrack to nf flow table.
0196         Once aged, the connection is returned to nf conntrack with tcp pickup timeout.
0197
0198 nf_flowtable_udp_timeout - INTEGER (seconds)
0199         default 30
0200
0201         Control offload timeout for udp connections.
0202         UDP connections may be offloaded from nf conntrack to nf flow table.
0203         Once aged, the connection is returned to nf conntrack with udp pickup timeout.