1 .. SPDX-License-Identifier: GPL-2.0 2 3 =================================== 4 Netfilter Conntrack Sysfs variables 5 =================================== 6 7 /proc/sys/net/netfilter/nf_conntrack_* Variables: 8 ================================================= 9 10 nf_conntrack_acct - BOOLEAN 11 - 0 - disabled (default) 12 - not 0 - enabled 13 14 Enable connection tracking flow accounting. 64-bit byte and packet 15 counters per flow are added. 16 17 nf_conntrack_buckets - INTEGER 18 Size of hash table. If not specified as parameter during module 19 loading, the default size is calculated by dividing total memory 20 by 16384 to determine the number of buckets. The hash table will 21 never have fewer than 1024 and never more than 262144 buckets. 22 This sysctl is only writeable in the initial net namespace. 23 24 nf_conntrack_checksum - BOOLEAN 25 - 0 - disabled 26 - not 0 - enabled (default) 27 28 Verify checksum of incoming packets. Packets with bad checksums are 29 in INVALID state. If this is enabled, such packets will not be 30 considered for connection tracking. 31 32 nf_conntrack_count - INTEGER (read-only) 33 Number of currently allocated flow entries. 34 35 nf_conntrack_events - BOOLEAN 36 - 0 - disabled 37 - 1 - enabled 38 - 2 - auto (default) 39 40 If this option is enabled, the connection tracking code will 41 provide userspace with connection tracking events via ctnetlink. 42 The default allocates the extension if a userspace program is 43 listening to ctnetlink events. 44 45 nf_conntrack_expect_max - INTEGER 46 Maximum size of expectation table. Default value is 47 nf_conntrack_buckets / 256. Minimum is 1. 48 49 nf_conntrack_frag6_high_thresh - INTEGER 50 default 262144 51 52 Maximum memory used to reassemble IPv6 fragments. When 53 nf_conntrack_frag6_high_thresh bytes of memory is allocated for this 54 purpose, the fragment handler will toss packets until 55 nf_conntrack_frag6_low_thresh is reached. 56 57 nf_conntrack_frag6_low_thresh - INTEGER 58 default 196608 59 60 See nf_conntrack_frag6_low_thresh 61 62 nf_conntrack_frag6_timeout - INTEGER (seconds) 63 default 60 64 65 Time to keep an IPv6 fragment in memory. 66 67 nf_conntrack_generic_timeout - INTEGER (seconds) 68 default 600 69 70 Default for generic timeout. This refers to layer 4 unknown/unsupported 71 protocols. 72 73 nf_conntrack_icmp_timeout - INTEGER (seconds) 74 default 30 75 76 Default for ICMP timeout. 77 78 nf_conntrack_icmpv6_timeout - INTEGER (seconds) 79 default 30 80 81 Default for ICMP6 timeout. 82 83 nf_conntrack_log_invalid - INTEGER 84 - 0 - disable (default) 85 - 1 - log ICMP packets 86 - 6 - log TCP packets 87 - 17 - log UDP packets 88 - 33 - log DCCP packets 89 - 41 - log ICMPv6 packets 90 - 136 - log UDPLITE packets 91 - 255 - log packets of any protocol 92 93 Log invalid packets of a type specified by value. 94 95 nf_conntrack_max - INTEGER 96 Maximum number of allowed connection tracking entries. This value is set 97 to nf_conntrack_buckets by default. 98 Note that connection tracking entries are added to the table twice -- once 99 for the original direction and once for the reply direction (i.e., with 100 the reversed address). This means that with default settings a maxed-out 101 table will have a average hash chain length of 2, not 1. 102 103 nf_conntrack_tcp_be_liberal - BOOLEAN 104 - 0 - disabled (default) 105 - not 0 - enabled 106 107 Be conservative in what you do, be liberal in what you accept from others. 108 If it's non-zero, we mark only out of window RST segments as INVALID. 109 110 nf_conntrack_tcp_ignore_invalid_rst - BOOLEAN 111 - 0 - disabled (default) 112 - 1 - enabled 113 114 If it's 1, we don't mark out of window RST segments as INVALID. 115 116 nf_conntrack_tcp_loose - BOOLEAN 117 - 0 - disabled 118 - not 0 - enabled (default) 119 120 If it is set to zero, we disable picking up already established 121 connections. 122 123 nf_conntrack_tcp_max_retrans - INTEGER 124 default 3 125 126 Maximum number of packets that can be retransmitted without 127 received an (acceptable) ACK from the destination. If this number 128 is reached, a shorter timer will be started. 129 130 nf_conntrack_tcp_timeout_close - INTEGER (seconds) 131 default 10 132 133 nf_conntrack_tcp_timeout_close_wait - INTEGER (seconds) 134 default 60 135 136 nf_conntrack_tcp_timeout_established - INTEGER (seconds) 137 default 432000 (5 days) 138 139 nf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds) 140 default 120 141 142 nf_conntrack_tcp_timeout_last_ack - INTEGER (seconds) 143 default 30 144 145 nf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds) 146 default 300 147 148 nf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds) 149 default 60 150 151 nf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds) 152 default 120 153 154 nf_conntrack_tcp_timeout_time_wait - INTEGER (seconds) 155 default 120 156 157 nf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds) 158 default 300 159 160 nf_conntrack_timestamp - BOOLEAN 161 - 0 - disabled (default) 162 - not 0 - enabled 163 164 Enable connection tracking flow timestamping. 165 166 nf_conntrack_sctp_timeout_closed - INTEGER (seconds) 167 default 10 168 169 nf_conntrack_sctp_timeout_cookie_wait - INTEGER (seconds) 170 default 3 171 172 nf_conntrack_sctp_timeout_cookie_echoed - INTEGER (seconds) 173 default 3 174 175 nf_conntrack_sctp_timeout_established - INTEGER (seconds) 176 default 210 177 178 Default is set to (hb_interval * path_max_retrans + rto_max) 179 180 nf_conntrack_sctp_timeout_shutdown_sent - INTEGER (seconds) 181 default 3 182 183 nf_conntrack_sctp_timeout_shutdown_recd - INTEGER (seconds) 184 default 3 185 186 nf_conntrack_sctp_timeout_shutdown_ack_sent - INTEGER (seconds) 187 default 3 188 189 nf_conntrack_sctp_timeout_heartbeat_sent - INTEGER (seconds) 190 default 30 191 192 This timeout is used to setup conntrack entry on secondary paths. 193 Default is set to hb_interval. 194 195 nf_conntrack_udp_timeout - INTEGER (seconds) 196 default 30 197 198 nf_conntrack_udp_timeout_stream - INTEGER (seconds) 199 default 120 200 201 This extended timeout will be used in case there is an UDP stream 202 detected. 203 204 nf_conntrack_gre_timeout - INTEGER (seconds) 205 default 30 206 207 nf_conntrack_gre_timeout_stream - INTEGER (seconds) 208 default 180 209 210 This extended timeout will be used in case there is an GRE stream 211 detected. 212 213 nf_hooks_lwtunnel - BOOLEAN 214 - 0 - disabled (default) 215 - not 0 - enabled 216 217 If this option is enabled, the lightweight tunnel netfilter hooks are 218 enabled. This option cannot be disabled once it is enabled. 219 220 nf_flowtable_tcp_timeout - INTEGER (seconds) 221 default 30 222 223 Control offload timeout for tcp connections. 224 TCP connections may be offloaded from nf conntrack to nf flow table. 225 Once aged, the connection is returned to nf conntrack. 226 227 nf_flowtable_udp_timeout - INTEGER (seconds) 228 default 30 229 230 Control offload timeout for udp connections. 231 UDP connections may be offloaded from nf conntrack to nf flow table. 232 Once aged, the connection is returned to nf conntrack.
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.