On Mon, Jun 07, 2021 at 02:16:09PM +0200, Pablo Neira Ayuso wrote: > On Thu, Jun 03, 2021 at 03:12:32PM +0300, Oz Shlomo wrote: > > TCP and UDP connections may be offloaded from nf conntrack to nf flow table. > > Offloaded connections are aged after 30 seconds of inactivity. > > Once aged, ownership is returned to conntrack with a hard coded tcp/udp > > pickup time of 120/30 seconds, after which the connection may be deleted. > > > > The current hard-coded pickup intervals may introduce a very aggressive > > aging policy. For example, offloaded tcp connections in established state > > will timeout from nf conntrack after just 150 seconds of inactivity, > > instead of 5 days. In addition, the hard-coded 30 second offload timeout > > period can significantly increase the hardware insertion rate requirements > > in some use cases. > > > > This patchset provides the user with the ability to configure protocol > > specific offload timeout and pickup intervals via sysctl. > > The first and second patches introduce the sysctl configuration for > > tcp and udp protocols. The last patch modifies nf flow table aging > > mechanisms to use the configured time intervals. > > Series applied, thanks. Patchset missed a description of the new sysctl entries in nf_conntrack-sysctl.rst, btw. Marcelo
