162306a36Sopenharmony_ci.. SPDX-License-Identifier: GPL-2.0 262306a36Sopenharmony_ci 362306a36Sopenharmony_ci=================================== 462306a36Sopenharmony_ciNetfilter Conntrack Sysfs variables 562306a36Sopenharmony_ci=================================== 662306a36Sopenharmony_ci 762306a36Sopenharmony_ci/proc/sys/net/netfilter/nf_conntrack_* Variables: 862306a36Sopenharmony_ci================================================= 962306a36Sopenharmony_ci 1062306a36Sopenharmony_cinf_conntrack_acct - BOOLEAN 1162306a36Sopenharmony_ci - 0 - disabled (default) 1262306a36Sopenharmony_ci - not 0 - enabled 1362306a36Sopenharmony_ci 1462306a36Sopenharmony_ci Enable connection tracking flow accounting. 64-bit byte and packet 1562306a36Sopenharmony_ci counters per flow are added. 1662306a36Sopenharmony_ci 1762306a36Sopenharmony_cinf_conntrack_buckets - INTEGER 1862306a36Sopenharmony_ci Size of hash table. If not specified as parameter during module 1962306a36Sopenharmony_ci loading, the default size is calculated by dividing total memory 2062306a36Sopenharmony_ci by 16384 to determine the number of buckets. The hash table will 2162306a36Sopenharmony_ci never have fewer than 1024 and never more than 262144 buckets. 2262306a36Sopenharmony_ci This sysctl is only writeable in the initial net namespace. 2362306a36Sopenharmony_ci 2462306a36Sopenharmony_cinf_conntrack_checksum - BOOLEAN 2562306a36Sopenharmony_ci - 0 - disabled 2662306a36Sopenharmony_ci - not 0 - enabled (default) 2762306a36Sopenharmony_ci 2862306a36Sopenharmony_ci Verify checksum of incoming packets. Packets with bad checksums are 2962306a36Sopenharmony_ci in INVALID state. If this is enabled, such packets will not be 3062306a36Sopenharmony_ci considered for connection tracking. 3162306a36Sopenharmony_ci 3262306a36Sopenharmony_cinf_conntrack_count - INTEGER (read-only) 3362306a36Sopenharmony_ci Number of currently allocated flow entries. 3462306a36Sopenharmony_ci 3562306a36Sopenharmony_cinf_conntrack_events - BOOLEAN 3662306a36Sopenharmony_ci - 0 - disabled 3762306a36Sopenharmony_ci - 1 - enabled 3862306a36Sopenharmony_ci - 2 - auto (default) 3962306a36Sopenharmony_ci 4062306a36Sopenharmony_ci If this option is enabled, the connection tracking code will 4162306a36Sopenharmony_ci provide userspace with connection tracking events via ctnetlink. 4262306a36Sopenharmony_ci The default allocates the extension if a userspace program is 4362306a36Sopenharmony_ci listening to ctnetlink events. 4462306a36Sopenharmony_ci 4562306a36Sopenharmony_cinf_conntrack_expect_max - INTEGER 4662306a36Sopenharmony_ci Maximum size of expectation table. Default value is 4762306a36Sopenharmony_ci nf_conntrack_buckets / 256. Minimum is 1. 4862306a36Sopenharmony_ci 4962306a36Sopenharmony_cinf_conntrack_frag6_high_thresh - INTEGER 5062306a36Sopenharmony_ci default 262144 5162306a36Sopenharmony_ci 5262306a36Sopenharmony_ci Maximum memory used to reassemble IPv6 fragments. When 5362306a36Sopenharmony_ci nf_conntrack_frag6_high_thresh bytes of memory is allocated for this 5462306a36Sopenharmony_ci purpose, the fragment handler will toss packets until 5562306a36Sopenharmony_ci nf_conntrack_frag6_low_thresh is reached. 5662306a36Sopenharmony_ci 5762306a36Sopenharmony_cinf_conntrack_frag6_low_thresh - INTEGER 5862306a36Sopenharmony_ci default 196608 5962306a36Sopenharmony_ci 6062306a36Sopenharmony_ci See nf_conntrack_frag6_low_thresh 6162306a36Sopenharmony_ci 6262306a36Sopenharmony_cinf_conntrack_frag6_timeout - INTEGER (seconds) 6362306a36Sopenharmony_ci default 60 6462306a36Sopenharmony_ci 6562306a36Sopenharmony_ci Time to keep an IPv6 fragment in memory. 6662306a36Sopenharmony_ci 6762306a36Sopenharmony_cinf_conntrack_generic_timeout - INTEGER (seconds) 6862306a36Sopenharmony_ci default 600 6962306a36Sopenharmony_ci 7062306a36Sopenharmony_ci Default for generic timeout. This refers to layer 4 unknown/unsupported 7162306a36Sopenharmony_ci protocols. 7262306a36Sopenharmony_ci 7362306a36Sopenharmony_cinf_conntrack_icmp_timeout - INTEGER (seconds) 7462306a36Sopenharmony_ci default 30 7562306a36Sopenharmony_ci 7662306a36Sopenharmony_ci Default for ICMP timeout. 7762306a36Sopenharmony_ci 7862306a36Sopenharmony_cinf_conntrack_icmpv6_timeout - INTEGER (seconds) 7962306a36Sopenharmony_ci default 30 8062306a36Sopenharmony_ci 8162306a36Sopenharmony_ci Default for ICMP6 timeout. 8262306a36Sopenharmony_ci 8362306a36Sopenharmony_cinf_conntrack_log_invalid - INTEGER 8462306a36Sopenharmony_ci - 0 - disable (default) 8562306a36Sopenharmony_ci - 1 - log ICMP packets 8662306a36Sopenharmony_ci - 6 - log TCP packets 8762306a36Sopenharmony_ci - 17 - log UDP packets 8862306a36Sopenharmony_ci - 33 - log DCCP packets 8962306a36Sopenharmony_ci - 41 - log ICMPv6 packets 9062306a36Sopenharmony_ci - 136 - log UDPLITE packets 9162306a36Sopenharmony_ci - 255 - log packets of any protocol 9262306a36Sopenharmony_ci 9362306a36Sopenharmony_ci Log invalid packets of a type specified by value. 9462306a36Sopenharmony_ci 9562306a36Sopenharmony_cinf_conntrack_max - INTEGER 9662306a36Sopenharmony_ci Maximum number of allowed connection tracking entries. This value is set 9762306a36Sopenharmony_ci to nf_conntrack_buckets by default. 9862306a36Sopenharmony_ci Note that connection tracking entries are added to the table twice -- once 9962306a36Sopenharmony_ci for the original direction and once for the reply direction (i.e., with 10062306a36Sopenharmony_ci the reversed address). This means that with default settings a maxed-out 10162306a36Sopenharmony_ci table will have a average hash chain length of 2, not 1. 10262306a36Sopenharmony_ci 10362306a36Sopenharmony_cinf_conntrack_tcp_be_liberal - BOOLEAN 10462306a36Sopenharmony_ci - 0 - disabled (default) 10562306a36Sopenharmony_ci - not 0 - enabled 10662306a36Sopenharmony_ci 10762306a36Sopenharmony_ci Be conservative in what you do, be liberal in what you accept from others. 10862306a36Sopenharmony_ci If it's non-zero, we mark only out of window RST segments as INVALID. 10962306a36Sopenharmony_ci 11062306a36Sopenharmony_cinf_conntrack_tcp_ignore_invalid_rst - BOOLEAN 11162306a36Sopenharmony_ci - 0 - disabled (default) 11262306a36Sopenharmony_ci - 1 - enabled 11362306a36Sopenharmony_ci 11462306a36Sopenharmony_ci If it's 1, we don't mark out of window RST segments as INVALID. 11562306a36Sopenharmony_ci 11662306a36Sopenharmony_cinf_conntrack_tcp_loose - BOOLEAN 11762306a36Sopenharmony_ci - 0 - disabled 11862306a36Sopenharmony_ci - not 0 - enabled (default) 11962306a36Sopenharmony_ci 12062306a36Sopenharmony_ci If it is set to zero, we disable picking up already established 12162306a36Sopenharmony_ci connections. 12262306a36Sopenharmony_ci 12362306a36Sopenharmony_cinf_conntrack_tcp_max_retrans - INTEGER 12462306a36Sopenharmony_ci default 3 12562306a36Sopenharmony_ci 12662306a36Sopenharmony_ci Maximum number of packets that can be retransmitted without 12762306a36Sopenharmony_ci received an (acceptable) ACK from the destination. If this number 12862306a36Sopenharmony_ci is reached, a shorter timer will be started. 12962306a36Sopenharmony_ci 13062306a36Sopenharmony_cinf_conntrack_tcp_timeout_close - INTEGER (seconds) 13162306a36Sopenharmony_ci default 10 13262306a36Sopenharmony_ci 13362306a36Sopenharmony_cinf_conntrack_tcp_timeout_close_wait - INTEGER (seconds) 13462306a36Sopenharmony_ci default 60 13562306a36Sopenharmony_ci 13662306a36Sopenharmony_cinf_conntrack_tcp_timeout_established - INTEGER (seconds) 13762306a36Sopenharmony_ci default 432000 (5 days) 13862306a36Sopenharmony_ci 13962306a36Sopenharmony_cinf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds) 14062306a36Sopenharmony_ci default 120 14162306a36Sopenharmony_ci 14262306a36Sopenharmony_cinf_conntrack_tcp_timeout_last_ack - INTEGER (seconds) 14362306a36Sopenharmony_ci default 30 14462306a36Sopenharmony_ci 14562306a36Sopenharmony_cinf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds) 14662306a36Sopenharmony_ci default 300 14762306a36Sopenharmony_ci 14862306a36Sopenharmony_cinf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds) 14962306a36Sopenharmony_ci default 60 15062306a36Sopenharmony_ci 15162306a36Sopenharmony_cinf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds) 15262306a36Sopenharmony_ci default 120 15362306a36Sopenharmony_ci 15462306a36Sopenharmony_cinf_conntrack_tcp_timeout_time_wait - INTEGER (seconds) 15562306a36Sopenharmony_ci default 120 15662306a36Sopenharmony_ci 15762306a36Sopenharmony_cinf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds) 15862306a36Sopenharmony_ci default 300 15962306a36Sopenharmony_ci 16062306a36Sopenharmony_cinf_conntrack_timestamp - BOOLEAN 16162306a36Sopenharmony_ci - 0 - disabled (default) 16262306a36Sopenharmony_ci - not 0 - enabled 16362306a36Sopenharmony_ci 16462306a36Sopenharmony_ci Enable connection tracking flow timestamping. 16562306a36Sopenharmony_ci 16662306a36Sopenharmony_cinf_conntrack_sctp_timeout_closed - INTEGER (seconds) 16762306a36Sopenharmony_ci default 10 16862306a36Sopenharmony_ci 16962306a36Sopenharmony_cinf_conntrack_sctp_timeout_cookie_wait - INTEGER (seconds) 17062306a36Sopenharmony_ci default 3 17162306a36Sopenharmony_ci 17262306a36Sopenharmony_cinf_conntrack_sctp_timeout_cookie_echoed - INTEGER (seconds) 17362306a36Sopenharmony_ci default 3 17462306a36Sopenharmony_ci 17562306a36Sopenharmony_cinf_conntrack_sctp_timeout_established - INTEGER (seconds) 17662306a36Sopenharmony_ci default 210 17762306a36Sopenharmony_ci 17862306a36Sopenharmony_ci Default is set to (hb_interval * path_max_retrans + rto_max) 17962306a36Sopenharmony_ci 18062306a36Sopenharmony_cinf_conntrack_sctp_timeout_shutdown_sent - INTEGER (seconds) 18162306a36Sopenharmony_ci default 3 18262306a36Sopenharmony_ci 18362306a36Sopenharmony_cinf_conntrack_sctp_timeout_shutdown_recd - INTEGER (seconds) 18462306a36Sopenharmony_ci default 3 18562306a36Sopenharmony_ci 18662306a36Sopenharmony_cinf_conntrack_sctp_timeout_shutdown_ack_sent - INTEGER (seconds) 18762306a36Sopenharmony_ci default 3 18862306a36Sopenharmony_ci 18962306a36Sopenharmony_cinf_conntrack_sctp_timeout_heartbeat_sent - INTEGER (seconds) 19062306a36Sopenharmony_ci default 30 19162306a36Sopenharmony_ci 19262306a36Sopenharmony_ci This timeout is used to setup conntrack entry on secondary paths. 19362306a36Sopenharmony_ci Default is set to hb_interval. 19462306a36Sopenharmony_ci 19562306a36Sopenharmony_cinf_conntrack_udp_timeout - INTEGER (seconds) 19662306a36Sopenharmony_ci default 30 19762306a36Sopenharmony_ci 19862306a36Sopenharmony_cinf_conntrack_udp_timeout_stream - INTEGER (seconds) 19962306a36Sopenharmony_ci default 120 20062306a36Sopenharmony_ci 20162306a36Sopenharmony_ci This extended timeout will be used in case there is an UDP stream 20262306a36Sopenharmony_ci detected. 20362306a36Sopenharmony_ci 20462306a36Sopenharmony_cinf_conntrack_gre_timeout - INTEGER (seconds) 20562306a36Sopenharmony_ci default 30 20662306a36Sopenharmony_ci 20762306a36Sopenharmony_cinf_conntrack_gre_timeout_stream - INTEGER (seconds) 20862306a36Sopenharmony_ci default 180 20962306a36Sopenharmony_ci 21062306a36Sopenharmony_ci This extended timeout will be used in case there is an GRE stream 21162306a36Sopenharmony_ci detected. 21262306a36Sopenharmony_ci 21362306a36Sopenharmony_cinf_hooks_lwtunnel - BOOLEAN 21462306a36Sopenharmony_ci - 0 - disabled (default) 21562306a36Sopenharmony_ci - not 0 - enabled 21662306a36Sopenharmony_ci 21762306a36Sopenharmony_ci If this option is enabled, the lightweight tunnel netfilter hooks are 21862306a36Sopenharmony_ci enabled. This option cannot be disabled once it is enabled. 21962306a36Sopenharmony_ci 22062306a36Sopenharmony_cinf_flowtable_tcp_timeout - INTEGER (seconds) 22162306a36Sopenharmony_ci default 30 22262306a36Sopenharmony_ci 22362306a36Sopenharmony_ci Control offload timeout for tcp connections. 22462306a36Sopenharmony_ci TCP connections may be offloaded from nf conntrack to nf flow table. 22562306a36Sopenharmony_ci Once aged, the connection is returned to nf conntrack with tcp pickup timeout. 22662306a36Sopenharmony_ci 22762306a36Sopenharmony_cinf_flowtable_udp_timeout - INTEGER (seconds) 22862306a36Sopenharmony_ci default 30 22962306a36Sopenharmony_ci 23062306a36Sopenharmony_ci Control offload timeout for udp connections. 23162306a36Sopenharmony_ci UDP connections may be offloaded from nf conntrack to nf flow table. 23262306a36Sopenharmony_ci Once aged, the connection is returned to nf conntrack with udp pickup timeout. 233