]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - Documentation/networking/nf_conntrack-sysctl.txt
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
UBUNTU: Start new release
[mirror_ubuntu-artful-kernel.git] / Documentation / networking / nf_conntrack-sysctl.txt
1 /proc/sys/net/netfilter/nf_conntrack_* Variables:
2
3 nf_conntrack_acct - BOOLEAN
4 0 - disabled (default)
5 not 0 - enabled
6
7 Enable connection tracking flow accounting. 64-bit byte and packet
8 counters per flow are added.
9
10 nf_conntrack_buckets - INTEGER
11 Size of hash table. If not specified as parameter during module
12 loading, the default size is calculated by dividing total memory
13 by 16384 to determine the number of buckets but the hash table will
14 never have fewer than 32 and limited to 16384 buckets. For systems
15 with more than 4GB of memory it will be 65536 buckets.
16 This sysctl is only writeable in the initial net namespace.
17
18 nf_conntrack_checksum - BOOLEAN
19 0 - disabled
20 not 0 - enabled (default)
21
22 Verify checksum of incoming packets. Packets with bad checksums are
23 in INVALID state. If this is enabled, such packets will not be
24 considered for connection tracking.
25
26 nf_conntrack_count - INTEGER (read-only)
27 Number of currently allocated flow entries.
28
29 nf_conntrack_events - BOOLEAN
30 0 - disabled
31 not 0 - enabled (default)
32
33 If this option is enabled, the connection tracking code will
34 provide userspace with connection tracking events via ctnetlink.
35
36 nf_conntrack_expect_max - INTEGER
37 Maximum size of expectation table. Default value is
38 nf_conntrack_buckets / 256. Minimum is 1.
39
40 nf_conntrack_frag6_high_thresh - INTEGER
41 default 262144
42
43 Maximum memory used to reassemble IPv6 fragments. When
44 nf_conntrack_frag6_high_thresh bytes of memory is allocated for this
45 purpose, the fragment handler will toss packets until
46 nf_conntrack_frag6_low_thresh is reached.
47
48 nf_conntrack_frag6_low_thresh - INTEGER
49 default 196608
50
51 See nf_conntrack_frag6_low_thresh
52
53 nf_conntrack_frag6_timeout - INTEGER (seconds)
54 default 60
55
56 Time to keep an IPv6 fragment in memory.
57
58 nf_conntrack_generic_timeout - INTEGER (seconds)
59 default 600
60
61 Default for generic timeout. This refers to layer 4 unknown/unsupported
62 protocols.
63
64 nf_conntrack_helper - BOOLEAN
65 0 - disabled (default)
66 not 0 - enabled
67
68 Enable automatic conntrack helper assignment.
69 If disabled it is required to set up iptables rules to assign
70 helpers to connections. See the CT target description in the
71 iptables-extensions(8) man page for further information.
72
73 nf_conntrack_icmp_timeout - INTEGER (seconds)
74 default 30
75
76 Default for ICMP timeout.
77
78 nf_conntrack_icmpv6_timeout - INTEGER (seconds)
79 default 30
80
81 Default for ICMP6 timeout.
82
83 nf_conntrack_log_invalid - INTEGER
84 0 - disable (default)
85 1 - log ICMP packets
86 6 - log TCP packets
87 17 - log UDP packets
88 33 - log DCCP packets
89 41 - log ICMPv6 packets
90 136 - log UDPLITE packets
91 255 - log packets of any protocol
92
93 Log invalid packets of a type specified by value.
94
95 nf_conntrack_max - INTEGER
96 Size of connection tracking table. Default value is
97 nf_conntrack_buckets value * 4.
98
99 nf_conntrack_default_on - BOOLEAN
100 0 - don't register conntrack in new net namespaces
101 1 - register conntrack in new net namespaces (default)
102
103 This controls wheter newly created network namespaces have connection
104 tracking enabled by default. It will be enabled automatically
105 regardless of this setting if the new net namespace requires
106 connection tracking, e.g. when NAT rules are created.
107 This setting is only visible in initial user namespace, it has no
108 effect on existing namespaces.
109
110 nf_conntrack_tcp_be_liberal - BOOLEAN
111 0 - disabled (default)
112 not 0 - enabled
113
114 Be conservative in what you do, be liberal in what you accept from others.
115 If it's non-zero, we mark only out of window RST segments as INVALID.
116
117 nf_conntrack_tcp_loose - BOOLEAN
118 0 - disabled
119 not 0 - enabled (default)
120
121 If it is set to zero, we disable picking up already established
122 connections.
123
124 nf_conntrack_tcp_max_retrans - INTEGER
125 default 3
126
127 Maximum number of packets that can be retransmitted without
128 received an (acceptable) ACK from the destination. If this number
129 is reached, a shorter timer will be started.
130
131 nf_conntrack_tcp_timeout_close - INTEGER (seconds)
132 default 10
133
134 nf_conntrack_tcp_timeout_close_wait - INTEGER (seconds)
135 default 60
136
137 nf_conntrack_tcp_timeout_established - INTEGER (seconds)
138 default 432000 (5 days)
139
140 nf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds)
141 default 120
142
143 nf_conntrack_tcp_timeout_last_ack - INTEGER (seconds)
144 default 30
145
146 nf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds)
147 default 300
148
149 nf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds)
150 default 60
151
152 nf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds)
153 default 120
154
155 nf_conntrack_tcp_timeout_time_wait - INTEGER (seconds)
156 default 120
157
158 nf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds)
159 default 300
160
161 nf_conntrack_timestamp - BOOLEAN
162 0 - disabled (default)
163 not 0 - enabled
164
165 Enable connection tracking flow timestamping.
166
167 nf_conntrack_udp_timeout - INTEGER (seconds)
168 default 30
169
170 nf_conntrack_udp_timeout_stream2 - INTEGER (seconds)
171 default 180
172
173 This extended timeout will be used in case there is an UDP stream
174 detected.
Ubuntu Artful kernel mirror