1 .. SPDX-License-Identifier: GPL-2.0
3 ===================================
4 Netfilter Conntrack Sysfs variables
5 ===================================
7 /proc/sys/net/netfilter/nf_conntrack_* Variables:
8 =================================================
10 nf_conntrack_acct - BOOLEAN
11 - 0 - disabled (default)
14 Enable connection tracking flow accounting. 64-bit byte and packet
15 counters per flow are added.
17 nf_conntrack_buckets - INTEGER
18 Size of hash table. If not specified as parameter during module
19 loading, the default size is calculated by dividing total memory
20 by 16384 to determine the number of buckets. The hash table will
21 never have fewer than 1024 and never more than 262144 buckets.
22 This sysctl is only writeable in the initial net namespace.
24 nf_conntrack_checksum - BOOLEAN
26 - not 0 - enabled (default)
28 Verify checksum of incoming packets. Packets with bad checksums are
29 in INVALID state. If this is enabled, such packets will not be
30 considered for connection tracking.
32 nf_conntrack_count - INTEGER (read-only)
33 Number of currently allocated flow entries.
35 nf_conntrack_events - BOOLEAN
40 If this option is enabled, the connection tracking code will
41 provide userspace with connection tracking events via ctnetlink.
42 The default allocates the extension if a userspace program is
43 listening to ctnetlink events.
45 nf_conntrack_expect_max - INTEGER
46 Maximum size of expectation table. Default value is
47 nf_conntrack_buckets / 256. Minimum is 1.
49 nf_conntrack_frag6_high_thresh - INTEGER
52 Maximum memory used to reassemble IPv6 fragments. When
53 nf_conntrack_frag6_high_thresh bytes of memory is allocated for this
54 purpose, the fragment handler will toss packets until
55 nf_conntrack_frag6_low_thresh is reached.
57 nf_conntrack_frag6_low_thresh - INTEGER
60 See nf_conntrack_frag6_low_thresh
62 nf_conntrack_frag6_timeout - INTEGER (seconds)
65 Time to keep an IPv6 fragment in memory.
67 nf_conntrack_generic_timeout - INTEGER (seconds)
70 Default for generic timeout. This refers to layer 4 unknown/unsupported
73 nf_conntrack_helper - BOOLEAN
74 - 0 - disabled (default)
77 Enable automatic conntrack helper assignment.
78 If disabled it is required to set up iptables rules to assign
79 helpers to connections. See the CT target description in the
80 iptables-extensions(8) man page for further information.
82 nf_conntrack_icmp_timeout - INTEGER (seconds)
85 Default for ICMP timeout.
87 nf_conntrack_icmpv6_timeout - INTEGER (seconds)
90 Default for ICMP6 timeout.
92 nf_conntrack_log_invalid - INTEGER
93 - 0 - disable (default)
94 - 1 - log ICMP packets
96 - 17 - log UDP packets
97 - 33 - log DCCP packets
98 - 41 - log ICMPv6 packets
99 - 136 - log UDPLITE packets
100 - 255 - log packets of any protocol
102 Log invalid packets of a type specified by value.
104 nf_conntrack_max - INTEGER
105 Maximum number of allowed connection tracking entries. This value is set
106 to nf_conntrack_buckets by default.
107 Note that connection tracking entries are added to the table twice -- once
108 for the original direction and once for the reply direction (i.e., with
109 the reversed address). This means that with default settings a maxed-out
110 table will have a average hash chain length of 2, not 1.
112 nf_conntrack_tcp_be_liberal - BOOLEAN
113 - 0 - disabled (default)
116 Be conservative in what you do, be liberal in what you accept from others.
117 If it's non-zero, we mark only out of window RST segments as INVALID.
119 nf_conntrack_tcp_ignore_invalid_rst - BOOLEAN
120 - 0 - disabled (default)
123 If it's 1, we don't mark out of window RST segments as INVALID.
125 nf_conntrack_tcp_loose - BOOLEAN
127 - not 0 - enabled (default)
129 If it is set to zero, we disable picking up already established
132 nf_conntrack_tcp_max_retrans - INTEGER
135 Maximum number of packets that can be retransmitted without
136 received an (acceptable) ACK from the destination. If this number
137 is reached, a shorter timer will be started.
139 nf_conntrack_tcp_timeout_close - INTEGER (seconds)
142 nf_conntrack_tcp_timeout_close_wait - INTEGER (seconds)
145 nf_conntrack_tcp_timeout_established - INTEGER (seconds)
146 default 432000 (5 days)
148 nf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds)
151 nf_conntrack_tcp_timeout_last_ack - INTEGER (seconds)
154 nf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds)
157 nf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds)
160 nf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds)
163 nf_conntrack_tcp_timeout_time_wait - INTEGER (seconds)
166 nf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds)
169 nf_conntrack_timestamp - BOOLEAN
170 - 0 - disabled (default)
173 Enable connection tracking flow timestamping.
175 nf_conntrack_udp_timeout - INTEGER (seconds)
178 nf_conntrack_udp_timeout_stream - INTEGER (seconds)
181 This extended timeout will be used in case there is an UDP stream
184 nf_conntrack_gre_timeout - INTEGER (seconds)
187 nf_conntrack_gre_timeout_stream - INTEGER (seconds)
190 This extended timeout will be used in case there is an GRE stream
193 nf_hooks_lwtunnel - BOOLEAN
194 - 0 - disabled (default)
197 If this option is enabled, the lightweight tunnel netfilter hooks are
198 enabled. This option cannot be disabled once it is enabled.
200 nf_flowtable_tcp_timeout - INTEGER (seconds)
203 Control offload timeout for tcp connections.
204 TCP connections may be offloaded from nf conntrack to nf flow table.
205 Once aged, the connection is returned to nf conntrack with tcp pickup timeout.
207 nf_flowtable_udp_timeout - INTEGER (seconds)
210 Control offload timeout for udp connections.
211 UDP connections may be offloaded from nf conntrack to nf flow table.
212 Once aged, the connection is returned to nf conntrack with udp pickup timeout.