[PATCH nf-next] netfilter: conntrack: udp: reduce default timeouts

Florian Westphal <fw@xxxxxxxxx> · Thu, 6 Dec 2018 03:03:00 +0100

We have no explicit signal when a UDP stream has terminated, peers just
stop sending.

For unreplied UDP case, 10 seconds should be enough to cover
delayed replies, and for suspected stream connections a timeout
of two minutes is sane to keep NAT mapping alive a while longer.
It matches tcp conntracks 'timewait' default timeout value.

Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 Documentation/networking/nf_conntrack-sysctl.txt | 4 ++--
 net/netfilter/nf_conntrack_proto_udp.c           | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Documentation/networking/nf_conntrack-sysctl.txt b/Documentation/networking/nf_conntrack-sysctl.txt
index 1669dc2419fd..371b6260dcd5 100644
--- a/Documentation/networking/nf_conntrack-sysctl.txt
+++ b/Documentation/networking/nf_conntrack-sysctl.txt
@@ -154,10 +154,10 @@ nf_conntrack_timestamp - BOOLEAN
 	Enable connection tracking flow timestamping.
 
 nf_conntrack_udp_timeout - INTEGER (seconds)
-	default 30
+	default 10
 
 nf_conntrack_udp_timeout_stream - INTEGER (seconds)
-	default 180
+	default 120
 
 	This extended timeout will be used in case there is an UDP stream
 	detected.
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index 76cee2fe3b1b..807389da42f4 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -28,8 +28,8 @@
 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
 
 static const unsigned int udp_timeouts[UDP_CT_MAX] = {
-	[UDP_CT_UNREPLIED]	= 30*HZ,
-	[UDP_CT_REPLIED]	= 180*HZ,
+	[UDP_CT_UNREPLIED]	= 10*HZ,
+	[UDP_CT_REPLIED]	= 120*HZ,
 };
 
 static unsigned int *udp_get_timeouts(struct net *net)
-- 
2.19.2







