add tunnable nf_conntrack_tcp_timeout_established value
authorAlexandre Derumier <aderumier@odiso.com>
Mon, 14 Apr 2014 07:59:47 +0000 (09:59 +0200)
committerDietmar Maurer <dietmar@proxmox.com>
Mon, 14 Apr 2014 09:32:52 +0000 (11:32 +0200)
commit28c082a187a76def02b212cbc1b6c8b48159d58b
tree9e1263ce2ad4ae1a932ec8aea2c14147c336c9de
parent0365eb68439db796282603ef5d27cab82a07f3cd
add tunnable nf_conntrack_tcp_timeout_established value

default nf_conntrack_tcp_timeout_established value is 5 days.

This is really huge, in case of a ddos attack for example

from:
https://dev.openwrt.org/ticket/12976

minimum value should be

"7875 seconds (= tcp_keepalive_time + tcp_keepalive_probes * tcp_keepalive_intvl = 7200 + 9 * 75 by default) to give the endpoints sufficient time to send keep-alive probes"

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
example/host.fw
src/PVE/Firewall.pm