blob: 433b6724797ad7e9476f041c7f0e2dcd77ca8579 [file] [log] [blame]
Jiri Pirkoc9f9e0e2013-01-17 23:05:08 +00001/proc/sys/net/netfilter/nf_conntrack_* Variables:
2
3nf_conntrack_acct - BOOLEAN
4 0 - disabled (default)
5 not 0 - enabled
6
7 Enable connection tracking flow accounting. 64-bit byte and packet
8 counters per flow are added.
9
Florian Westphal3183ab82016-06-22 13:26:10 +020010nf_conntrack_buckets - INTEGER
Jiri Pirkoc9f9e0e2013-01-17 23:05:08 +000011 Size of hash table. If not specified as parameter during module
12 loading, the default size is calculated by dividing total memory
13 by 16384 to determine the number of buckets but the hash table will
Marcelo Leitner88eab472014-12-03 17:30:19 -020014 never have fewer than 32 and limited to 16384 buckets. For systems
15 with more than 4GB of memory it will be 65536 buckets.
Florian Westphal3183ab82016-06-22 13:26:10 +020016 This sysctl is only writeable in the initial net namespace.
Jiri Pirkoc9f9e0e2013-01-17 23:05:08 +000017
18nf_conntrack_checksum - BOOLEAN
19 0 - disabled
20 not 0 - enabled (default)
21
22 Verify checksum of incoming packets. Packets with bad checksums are
23 in INVALID state. If this is enabled, such packets will not be
24 considered for connection tracking.
25
26nf_conntrack_count - INTEGER (read-only)
27 Number of currently allocated flow entries.
28
29nf_conntrack_events - BOOLEAN
30 0 - disabled
31 not 0 - enabled (default)
32
33 If this option is enabled, the connection tracking code will
34 provide userspace with connection tracking events via ctnetlink.
35
Jiri Pirkoc9f9e0e2013-01-17 23:05:08 +000036nf_conntrack_expect_max - INTEGER
37 Maximum size of expectation table. Default value is
38 nf_conntrack_buckets / 256. Minimum is 1.
39
40nf_conntrack_frag6_high_thresh - INTEGER
41 default 262144
42
43 Maximum memory used to reassemble IPv6 fragments. When
44 nf_conntrack_frag6_high_thresh bytes of memory is allocated for this
45 purpose, the fragment handler will toss packets until
46 nf_conntrack_frag6_low_thresh is reached.
47
48nf_conntrack_frag6_low_thresh - INTEGER
49 default 196608
50
51 See nf_conntrack_frag6_low_thresh
52
53nf_conntrack_frag6_timeout - INTEGER (seconds)
54 default 60
55
56 Time to keep an IPv6 fragment in memory.
57
58nf_conntrack_generic_timeout - INTEGER (seconds)
59 default 600
60
61 Default for generic timeout. This refers to layer 4 unknown/unsupported
62 protocols.
63
64nf_conntrack_helper - BOOLEAN
Florian Westphal486dcf42016-11-10 14:24:40 +010065 0 - disabled (default)
66 not 0 - enabled
Jiri Pirkoc9f9e0e2013-01-17 23:05:08 +000067
68 Enable automatic conntrack helper assignment.
Florian Westphal486dcf42016-11-10 14:24:40 +010069 If disabled it is required to set up iptables rules to assign
70 helpers to connections. See the CT target description in the
71 iptables-extensions(8) man page for further information.
Jiri Pirkoc9f9e0e2013-01-17 23:05:08 +000072
73nf_conntrack_icmp_timeout - INTEGER (seconds)
74 default 30
75
76 Default for ICMP timeout.
77
78nf_conntrack_icmpv6_timeout - INTEGER (seconds)
79 default 30
80
81 Default for ICMP6 timeout.
82
83nf_conntrack_log_invalid - INTEGER
84 0 - disable (default)
85 1 - log ICMP packets
86 6 - log TCP packets
87 17 - log UDP packets
88 33 - log DCCP packets
89 41 - log ICMPv6 packets
90 136 - log UDPLITE packets
91 255 - log packets of any protocol
92
93 Log invalid packets of a type specified by value.
94
95nf_conntrack_max - INTEGER
96 Size of connection tracking table. Default value is
97 nf_conntrack_buckets value * 4.
98
Jiri Pirkoc9f9e0e2013-01-17 23:05:08 +000099nf_conntrack_tcp_be_liberal - BOOLEAN
100 0 - disabled (default)
101 not 0 - enabled
102
103 Be conservative in what you do, be liberal in what you accept from others.
104 If it's non-zero, we mark only out of window RST segments as INVALID.
105
106nf_conntrack_tcp_loose - BOOLEAN
107 0 - disabled
108 not 0 - enabled (default)
109
110 If it is set to zero, we disable picking up already established
111 connections.
112
113nf_conntrack_tcp_max_retrans - INTEGER
114 default 3
115
116 Maximum number of packets that can be retransmitted without
117 received an (acceptable) ACK from the destination. If this number
118 is reached, a shorter timer will be started.
119
120nf_conntrack_tcp_timeout_close - INTEGER (seconds)
121 default 10
122
123nf_conntrack_tcp_timeout_close_wait - INTEGER (seconds)
124 default 60
125
126nf_conntrack_tcp_timeout_established - INTEGER (seconds)
127 default 432000 (5 days)
128
129nf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds)
130 default 120
131
132nf_conntrack_tcp_timeout_last_ack - INTEGER (seconds)
133 default 30
134
135nf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds)
136 default 300
137
138nf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds)
139 default 60
140
141nf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds)
142 default 120
143
144nf_conntrack_tcp_timeout_time_wait - INTEGER (seconds)
145 default 120
146
147nf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds)
148 default 300
149
150nf_conntrack_timestamp - BOOLEAN
151 0 - disabled (default)
152 not 0 - enabled
153
154 Enable connection tracking flow timestamping.
155
156nf_conntrack_udp_timeout - INTEGER (seconds)
157 default 30
158
159nf_conntrack_udp_timeout_stream2 - INTEGER (seconds)
160 default 180
161
162 This extended timeout will be used in case there is an UDP stream
163 detected.