TCP and UDP connections may be offloaded from nf conntrack to nf flow table. Offloaded connections are aged after 30 seconds of inactivity. Once aged, ownership is returned to conntrack with a hard coded tcp/udp pickup time of 120/30 seconds, after which the connection may be deleted. The current hard-coded pickup intervals may introduce a very aggressive aging policy. For example, offloaded tcp connections in established state will timeout from nf conntrack after just 150 seconds of inactivity, instead of 5 days. In addition, the hard-coded 30 second offload timeout period can significantly increase the hardware insertion rate requirements in some use cases. This patchset provides the user with the ability to configure protocol specific offload timeout and pickup intervals via sysctl. The first and second patches introduce the sysctl configuration for tcp and udp protocols. The last patch modifies nf flow table aging mechanisms to use the configured time intervals. Oz Shlomo (3): netfilter: conntrack: Introduce tcp offload timeout configuration netfilter: conntrack: Introduce udp offload timeout configuration netfilter: flowtable: Set offload timeouts according to proto values include/net/netfilter/nf_flow_table.h | 2 ++ include/net/netns/conntrack.h | 8 ++++++ net/netfilter/nf_conntrack_proto_tcp.c | 5 ++++ net/netfilter/nf_conntrack_proto_udp.c | 5 ++++ net/netfilter/nf_conntrack_standalone.c | 46 ++++++++++++++++++++++++++++++++ net/netfilter/nf_flow_table_core.c | 47 ++++++++++++++++++++++++++------- net/netfilter/nf_flow_table_offload.c | 4 +-- 7 files changed, 105 insertions(+), 12 deletions(-) -- 1.8.3.1
