[linux-2.6-block.git] / Documentation / networking / nf_conntrack-sysctl.rst

.. SPDX-License-Identifier: GPL-2.0

===================================
Netfilter Conntrack Sysfs variables
===================================

/proc/sys/net/netfilter/nf_conntrack_* Variables:
=================================================

nf_conntrack_acct - BOOLEAN
	- 0 - disabled (default)
	- not 0 - enabled

	Enable connection tracking flow accounting. 64-bit byte and packet
	counters per flow are added.

nf_conntrack_buckets - INTEGER
	Size of hash table. If not specified as parameter during module
	loading, the default size is calculated by dividing total memory
	by 16384 to determine the number of buckets. The hash table will
	never have fewer than 1024 and never more than 262144 buckets.
	This sysctl is only writeable in the initial net namespace.

nf_conntrack_checksum - BOOLEAN
	- 0 - disabled
	- not 0 - enabled (default)

	Verify checksum of incoming packets. Packets with bad checksums are
	in INVALID state. If this is enabled, such packets will not be
	considered for connection tracking.

nf_conntrack_count - INTEGER (read-only)
	Number of currently allocated flow entries.

nf_conntrack_events - BOOLEAN
	- 0 - disabled
	- 1 - enabled
	- 2 - auto (default)

	If this option is enabled, the connection tracking code will
	provide userspace with connection tracking events via ctnetlink.
	The default allocates the extension if a userspace program is
	listening to ctnetlink events.

nf_conntrack_expect_max - INTEGER
	Maximum size of expectation table.  Default value is
	nf_conntrack_buckets / 256. Minimum is 1.

nf_conntrack_frag6_high_thresh - INTEGER
	default 262144

	Maximum memory used to reassemble IPv6 fragments.  When
	nf_conntrack_frag6_high_thresh bytes of memory is allocated for this
	purpose, the fragment handler will toss packets until
	nf_conntrack_frag6_low_thresh is reached.

nf_conntrack_frag6_low_thresh - INTEGER
	default 196608

	See nf_conntrack_frag6_low_thresh

nf_conntrack_frag6_timeout - INTEGER (seconds)
	default 60

	Time to keep an IPv6 fragment in memory.

nf_conntrack_generic_timeout - INTEGER (seconds)
	default 600

	Default for generic timeout.  This refers to layer 4 unknown/unsupported
	protocols.

nf_conntrack_helper - BOOLEAN
	- 0 - disabled (default)
	- not 0 - enabled

	Enable automatic conntrack helper assignment.
	If disabled it is required to set up iptables rules to assign
	helpers to connections.  See the CT target description in the
	iptables-extensions(8) man page for further information.

nf_conntrack_icmp_timeout - INTEGER (seconds)
	default 30

	Default for ICMP timeout.

nf_conntrack_icmpv6_timeout - INTEGER (seconds)
	default 30

	Default for ICMP6 timeout.

nf_conntrack_log_invalid - INTEGER
	- 0   - disable (default)
	- 1   - log ICMP packets
	- 6   - log TCP packets
	- 17  - log UDP packets
	- 33  - log DCCP packets
	- 41  - log ICMPv6 packets
	- 136 - log UDPLITE packets
	- 255 - log packets of any protocol

	Log invalid packets of a type specified by value.

nf_conntrack_max - INTEGER
        Maximum number of allowed connection tracking entries. This value is set
        to nf_conntrack_buckets by default.
        Note that connection tracking entries are added to the table twice -- once
        for the original direction and once for the reply direction (i.e., with
        the reversed address). This means that with default settings a maxed-out
        table will have a average hash chain length of 2, not 1.

nf_conntrack_tcp_be_liberal - BOOLEAN
	- 0 - disabled (default)
	- not 0 - enabled

	Be conservative in what you do, be liberal in what you accept from others.
	If it's non-zero, we mark only out of window RST segments as INVALID.

nf_conntrack_tcp_ignore_invalid_rst - BOOLEAN
	- 0 - disabled (default)
	- 1 - enabled

	If it's 1, we don't mark out of window RST segments as INVALID.

nf_conntrack_tcp_loose - BOOLEAN
	- 0 - disabled
	- not 0 - enabled (default)

	If it is set to zero, we disable picking up already established
	connections.

nf_conntrack_tcp_max_retrans - INTEGER
	default 3

	Maximum number of packets that can be retransmitted without
	received an (acceptable) ACK from the destination. If this number
	is reached, a shorter timer will be started.

nf_conntrack_tcp_timeout_close - INTEGER (seconds)
	default 10

nf_conntrack_tcp_timeout_close_wait - INTEGER (seconds)
	default 60

nf_conntrack_tcp_timeout_established - INTEGER (seconds)
	default 432000 (5 days)

nf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds)
	default 120

nf_conntrack_tcp_timeout_last_ack - INTEGER (seconds)
	default 30

nf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds)
	default 300

nf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds)
	default 60

nf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds)
	default 120

nf_conntrack_tcp_timeout_time_wait - INTEGER (seconds)
	default 120

nf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds)
	default 300

nf_conntrack_timestamp - BOOLEAN
	- 0 - disabled (default)
	- not 0 - enabled

	Enable connection tracking flow timestamping.

nf_conntrack_udp_timeout - INTEGER (seconds)
	default 30

nf_conntrack_udp_timeout_stream - INTEGER (seconds)
	default 120

	This extended timeout will be used in case there is an UDP stream
	detected.

nf_conntrack_gre_timeout - INTEGER (seconds)
	default 30

nf_conntrack_gre_timeout_stream - INTEGER (seconds)
	default 180

	This extended timeout will be used in case there is an GRE stream
	detected.

nf_hooks_lwtunnel - BOOLEAN
	- 0 - disabled (default)
	- not 0 - enabled

	If this option is enabled, the lightweight tunnel netfilter hooks are
	enabled. This option cannot be disabled once it is enabled.

nf_flowtable_tcp_timeout - INTEGER (seconds)
        default 30

        Control offload timeout for tcp connections.
        TCP connections may be offloaded from nf conntrack to nf flow table.
        Once aged, the connection is returned to nf conntrack with tcp pickup timeout.

nf_flowtable_udp_timeout - INTEGER (seconds)
        default 30

        Control offload timeout for udp connections.
        UDP connections may be offloaded from nf conntrack to nf flow table.
        Once aged, the connection is returned to nf conntrack with udp pickup timeout.
Commit	Line	Data
13df433f MCC	1	.. SPDX-License-Identifier: GPL-2.0
	2
	3	===================================
	4	Netfilter Conntrack Sysfs variables
	5	===================================
	6
c9f9e0e1	7	/proc/sys/net/netfilter/nf_conntrack_* Variables:
13df433f	8	=================================================
c9f9e0e1 JP	9
c9f9e0e1 JP	10	nf_conntrack_acct - BOOLEAN
13df433f MCC	11	- 0 - disabled (default)
13df433f MCC	12	- not 0 - enabled
c9f9e0e1 JP	13
	14	Enable connection tracking flow accounting. 64-bit byte and packet
	15	counters per flow are added.
	16
3183ab89	17	nf_conntrack_buckets - INTEGER
c9f9e0e1 JP	18	Size of hash table. If not specified as parameter during module
c9f9e0e1 JP	19	loading, the default size is calculated by dividing total memory
d532bcd0 FW	20	by 16384 to determine the number of buckets. The hash table will
d532bcd0 FW	21	never have fewer than 1024 and never more than 262144 buckets.
3183ab89	22	This sysctl is only writeable in the initial net namespace.
c9f9e0e1 JP	23
c9f9e0e1 JP	24	nf_conntrack_checksum - BOOLEAN
13df433f MCC	25	- 0 - disabled
13df433f MCC	26	- not 0 - enabled (default)
c9f9e0e1 JP	27
	28	Verify checksum of incoming packets. Packets with bad checksums are
	29	in INVALID state. If this is enabled, such packets will not be
	30	considered for connection tracking.
	31
	32	nf_conntrack_count - INTEGER (read-only)
	33	Number of currently allocated flow entries.
	34
	35	nf_conntrack_events - BOOLEAN
13df433f	36	- 0 - disabled
90d1daa4 FW	37	- 1 - enabled
90d1daa4 FW	38	- 2 - auto (default)
c9f9e0e1 JP	39
	40	If this option is enabled, the connection tracking code will
	41	provide userspace with connection tracking events via ctnetlink.
90d1daa4 FW	42	The default allocates the extension if a userspace program is
90d1daa4 FW	43	listening to ctnetlink events.
c9f9e0e1	44
c9f9e0e1 JP	45	nf_conntrack_expect_max - INTEGER
	46	Maximum size of expectation table. Default value is
	47	nf_conntrack_buckets / 256. Minimum is 1.
	48
	49	nf_conntrack_frag6_high_thresh - INTEGER
	50	default 262144
	51
	52	Maximum memory used to reassemble IPv6 fragments. When
	53	nf_conntrack_frag6_high_thresh bytes of memory is allocated for this
	54	purpose, the fragment handler will toss packets until
	55	nf_conntrack_frag6_low_thresh is reached.
	56
	57	nf_conntrack_frag6_low_thresh - INTEGER
	58	default 196608
	59
	60	See nf_conntrack_frag6_low_thresh
	61
	62	nf_conntrack_frag6_timeout - INTEGER (seconds)
	63	default 60
	64
	65	Time to keep an IPv6 fragment in memory.
	66
	67	nf_conntrack_generic_timeout - INTEGER (seconds)
	68	default 600
	69
	70	Default for generic timeout. This refers to layer 4 unknown/unsupported
	71	protocols.
	72
	73	nf_conntrack_helper - BOOLEAN
13df433f MCC	74	- 0 - disabled (default)
13df433f MCC	75	- not 0 - enabled
c9f9e0e1 JP	76
c9f9e0e1 JP	77	Enable automatic conntrack helper assignment.
486dcf43 FW	78	If disabled it is required to set up iptables rules to assign
	79	helpers to connections. See the CT target description in the
	80	iptables-extensions(8) man page for further information.
c9f9e0e1 JP	81
	82	nf_conntrack_icmp_timeout - INTEGER (seconds)
	83	default 30
	84
	85	Default for ICMP timeout.
	86
	87	nf_conntrack_icmpv6_timeout - INTEGER (seconds)
	88	default 30
	89
	90	Default for ICMP6 timeout.
	91
	92	nf_conntrack_log_invalid - INTEGER
13df433f MCC	93	- 0 - disable (default)
	94	- 1 - log ICMP packets
	95	- 6 - log TCP packets
	96	- 17 - log UDP packets
	97	- 33 - log DCCP packets
	98	- 41 - log ICMPv6 packets
	99	- 136 - log UDPLITE packets
	100	- 255 - log packets of any protocol
c9f9e0e1 JP	101
	102	Log invalid packets of a type specified by value.
	103
	104	nf_conntrack_max - INTEGER
d532bcd0 FW	105	Maximum number of allowed connection tracking entries. This value is set
	106	to nf_conntrack_buckets by default.
	107	Note that connection tracking entries are added to the table twice -- once
	108	for the original direction and once for the reply direction (i.e., with
	109	the reversed address). This means that with default settings a maxed-out
	110	table will have a average hash chain length of 2, not 1.
c9f9e0e1 JP	111
c9f9e0e1 JP	112	nf_conntrack_tcp_be_liberal - BOOLEAN
13df433f MCC	113	- 0 - disabled (default)
13df433f MCC	114	- not 0 - enabled
c9f9e0e1 JP	115
	116	Be conservative in what you do, be liberal in what you accept from others.
	117	If it's non-zero, we mark only out of window RST segments as INVALID.
	118
1da4cd82 AA	119	nf_conntrack_tcp_ignore_invalid_rst - BOOLEAN
	120	- 0 - disabled (default)
	121	- 1 - enabled
	122
	123	If it's 1, we don't mark out of window RST segments as INVALID.
	124
c9f9e0e1	125	nf_conntrack_tcp_loose - BOOLEAN
13df433f MCC	126	- 0 - disabled
13df433f MCC	127	- not 0 - enabled (default)
c9f9e0e1 JP	128
	129	If it is set to zero, we disable picking up already established
	130	connections.
	131
	132	nf_conntrack_tcp_max_retrans - INTEGER
	133	default 3
	134
	135	Maximum number of packets that can be retransmitted without
	136	received an (acceptable) ACK from the destination. If this number
	137	is reached, a shorter timer will be started.
	138
	139	nf_conntrack_tcp_timeout_close - INTEGER (seconds)
	140	default 10
	141
	142	nf_conntrack_tcp_timeout_close_wait - INTEGER (seconds)
	143	default 60
	144
	145	nf_conntrack_tcp_timeout_established - INTEGER (seconds)
	146	default 432000 (5 days)
	147
	148	nf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds)
	149	default 120
	150
	151	nf_conntrack_tcp_timeout_last_ack - INTEGER (seconds)
	152	default 30
	153
	154	nf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds)
	155	default 300
	156
	157	nf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds)
	158	default 60
	159
	160	nf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds)
	161	default 120
	162
	163	nf_conntrack_tcp_timeout_time_wait - INTEGER (seconds)
	164	default 120
	165
	166	nf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds)
	167	default 300
	168
	169	nf_conntrack_timestamp - BOOLEAN
13df433f MCC	170	- 0 - disabled (default)
13df433f MCC	171	- not 0 - enabled
c9f9e0e1 JP	172
	173	Enable connection tracking flow timestamping.
	174
	175	nf_conntrack_udp_timeout - INTEGER (seconds)
	176	default 30
	177
bb38ccce	178	nf_conntrack_udp_timeout_stream - INTEGER (seconds)
294304e4	179	default 120
c9f9e0e1 JP	180
	181	This extended timeout will be used in case there is an UDP stream
	182	detected.
a0badcc6 YS	183
	184	nf_conntrack_gre_timeout - INTEGER (seconds)
	185	default 30
	186
	187	nf_conntrack_gre_timeout_stream - INTEGER (seconds)
	188	default 180
	189
	190	This extended timeout will be used in case there is an GRE stream
	191	detected.
3078d964	192
7a3f5b0d RS	193	nf_hooks_lwtunnel - BOOLEAN
	194	- 0 - disabled (default)
	195	- not 0 - enabled
	196
	197	If this option is enabled, the lightweight tunnel netfilter hooks are
	198	enabled. This option cannot be disabled once it is enabled.
	199
3078d964 OS	200	nf_flowtable_tcp_timeout - INTEGER (seconds)
	201	default 30
	202
	203	Control offload timeout for tcp connections.
	204	TCP connections may be offloaded from nf conntrack to nf flow table.
	205	Once aged, the connection is returned to nf conntrack with tcp pickup timeout.
	206
3078d964 OS	207	nf_flowtable_udp_timeout - INTEGER (seconds)
	208	default 30
	209
	210	Control offload timeout for udp connections.
	211	UDP connections may be offloaded from nf conntrack to nf flow table.
	212	Once aged, the connection is returned to nf conntrack with udp pickup timeout.