xref: /linux/Documentation/networking/nf_conntrack-sysctl.rst (revision a4eb44a6435d6d8f9e642407a4a06f65eb90ca04)
1.. SPDX-License-Identifier: GPL-2.0
2
3===================================
4Netfilter Conntrack Sysfs variables
5===================================
6
7/proc/sys/net/netfilter/nf_conntrack_* Variables:
8=================================================
9
10nf_conntrack_acct - BOOLEAN
11	- 0 - disabled (default)
12	- not 0 - enabled
13
14	Enable connection tracking flow accounting. 64-bit byte and packet
15	counters per flow are added.
16
17nf_conntrack_buckets - INTEGER
18	Size of hash table. If not specified as parameter during module
19	loading, the default size is calculated by dividing total memory
20	by 16384 to determine the number of buckets. The hash table will
21	never have fewer than 1024 and never more than 262144 buckets.
22	This sysctl is only writeable in the initial net namespace.
23
24nf_conntrack_checksum - BOOLEAN
25	- 0 - disabled
26	- not 0 - enabled (default)
27
28	Verify checksum of incoming packets. Packets with bad checksums are
29	in INVALID state. If this is enabled, such packets will not be
30	considered for connection tracking.
31
32nf_conntrack_count - INTEGER (read-only)
33	Number of currently allocated flow entries.
34
35nf_conntrack_events - BOOLEAN
36	- 0 - disabled
37	- not 0 - enabled (default)
38
39	If this option is enabled, the connection tracking code will
40	provide userspace with connection tracking events via ctnetlink.
41
42nf_conntrack_expect_max - INTEGER
43	Maximum size of expectation table.  Default value is
44	nf_conntrack_buckets / 256. Minimum is 1.
45
46nf_conntrack_frag6_high_thresh - INTEGER
47	default 262144
48
49	Maximum memory used to reassemble IPv6 fragments.  When
50	nf_conntrack_frag6_high_thresh bytes of memory is allocated for this
51	purpose, the fragment handler will toss packets until
52	nf_conntrack_frag6_low_thresh is reached.
53
54nf_conntrack_frag6_low_thresh - INTEGER
55	default 196608
56
57	See nf_conntrack_frag6_low_thresh
58
59nf_conntrack_frag6_timeout - INTEGER (seconds)
60	default 60
61
62	Time to keep an IPv6 fragment in memory.
63
64nf_conntrack_generic_timeout - INTEGER (seconds)
65	default 600
66
67	Default for generic timeout.  This refers to layer 4 unknown/unsupported
68	protocols.
69
70nf_conntrack_helper - BOOLEAN
71	- 0 - disabled (default)
72	- not 0 - enabled
73
74	Enable automatic conntrack helper assignment.
75	If disabled it is required to set up iptables rules to assign
76	helpers to connections.  See the CT target description in the
77	iptables-extensions(8) man page for further information.
78
79nf_conntrack_icmp_timeout - INTEGER (seconds)
80	default 30
81
82	Default for ICMP timeout.
83
84nf_conntrack_icmpv6_timeout - INTEGER (seconds)
85	default 30
86
87	Default for ICMP6 timeout.
88
89nf_conntrack_log_invalid - INTEGER
90	- 0   - disable (default)
91	- 1   - log ICMP packets
92	- 6   - log TCP packets
93	- 17  - log UDP packets
94	- 33  - log DCCP packets
95	- 41  - log ICMPv6 packets
96	- 136 - log UDPLITE packets
97	- 255 - log packets of any protocol
98
99	Log invalid packets of a type specified by value.
100
101nf_conntrack_max - INTEGER
102        Maximum number of allowed connection tracking entries. This value is set
103        to nf_conntrack_buckets by default.
104        Note that connection tracking entries are added to the table twice -- once
105        for the original direction and once for the reply direction (i.e., with
106        the reversed address). This means that with default settings a maxed-out
107        table will have a average hash chain length of 2, not 1.
108
109nf_conntrack_tcp_be_liberal - BOOLEAN
110	- 0 - disabled (default)
111	- not 0 - enabled
112
113	Be conservative in what you do, be liberal in what you accept from others.
114	If it's non-zero, we mark only out of window RST segments as INVALID.
115
116nf_conntrack_tcp_ignore_invalid_rst - BOOLEAN
117	- 0 - disabled (default)
118	- 1 - enabled
119
120	If it's 1, we don't mark out of window RST segments as INVALID.
121
122nf_conntrack_tcp_loose - BOOLEAN
123	- 0 - disabled
124	- not 0 - enabled (default)
125
126	If it is set to zero, we disable picking up already established
127	connections.
128
129nf_conntrack_tcp_max_retrans - INTEGER
130	default 3
131
132	Maximum number of packets that can be retransmitted without
133	received an (acceptable) ACK from the destination. If this number
134	is reached, a shorter timer will be started.
135
136nf_conntrack_tcp_timeout_close - INTEGER (seconds)
137	default 10
138
139nf_conntrack_tcp_timeout_close_wait - INTEGER (seconds)
140	default 60
141
142nf_conntrack_tcp_timeout_established - INTEGER (seconds)
143	default 432000 (5 days)
144
145nf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds)
146	default 120
147
148nf_conntrack_tcp_timeout_last_ack - INTEGER (seconds)
149	default 30
150
151nf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds)
152	default 300
153
154nf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds)
155	default 60
156
157nf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds)
158	default 120
159
160nf_conntrack_tcp_timeout_time_wait - INTEGER (seconds)
161	default 120
162
163nf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds)
164	default 300
165
166nf_conntrack_timestamp - BOOLEAN
167	- 0 - disabled (default)
168	- not 0 - enabled
169
170	Enable connection tracking flow timestamping.
171
172nf_conntrack_udp_timeout - INTEGER (seconds)
173	default 30
174
175nf_conntrack_udp_timeout_stream - INTEGER (seconds)
176	default 120
177
178	This extended timeout will be used in case there is an UDP stream
179	detected.
180
181nf_conntrack_gre_timeout - INTEGER (seconds)
182	default 30
183
184nf_conntrack_gre_timeout_stream - INTEGER (seconds)
185	default 180
186
187	This extended timeout will be used in case there is an GRE stream
188	detected.
189
190nf_hooks_lwtunnel - BOOLEAN
191	- 0 - disabled (default)
192	- not 0 - enabled
193
194	If this option is enabled, the lightweight tunnel netfilter hooks are
195	enabled. This option cannot be disabled once it is enabled.
196
197nf_flowtable_tcp_timeout - INTEGER (seconds)
198        default 30
199
200        Control offload timeout for tcp connections.
201        TCP connections may be offloaded from nf conntrack to nf flow table.
202        Once aged, the connection is returned to nf conntrack with tcp pickup timeout.
203
204nf_flowtable_udp_timeout - INTEGER (seconds)
205        default 30
206
207        Control offload timeout for udp connections.
208        UDP connections may be offloaded from nf conntrack to nf flow table.
209        Once aged, the connection is returned to nf conntrack with udp pickup timeout.
210