On Thu, Oct 28, 2021 at 05:37:24PM +0200, Florian Westphal wrote:
> docs are too terse and did not have the list of valid timeout states.
> While at it, adjust default stream timeout of udp to 120, this is the
> current kernel default.
ack.
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> ---
> doc/stateful-objects.txt | 11 +++++++++++
> src/rule.c | 2 +-
> 2 files changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/doc/stateful-objects.txt b/doc/stateful-objects.txt
> index 4972969eb250..e3c79220811f 100644
> --- a/doc/stateful-objects.txt
> +++ b/doc/stateful-objects.txt
> @@ -77,6 +77,17 @@ per ct timeout comment field |
> string
> |=================
>
> +tcp connection state names that can have a specific timeout value are:
> +
> +'close', 'close_wait', 'established', 'fin_wait', 'last_ack', 'retrans', 'syn_recv', 'syn_sent', 'time_wait' and 'unack'.
> +
> +You can use 'sysctl -a |grep net.netfilter.nf_conntrack_tcp_timeout_' to view and change the system-wide defaults.
> +'ct timeout' allows for flow-specific settings, without changing the global timeouts.
> +
> +For example, tcp port 53 could have much lower settings than other traffic.
> +
> +udp state names that can have a specific timeout value are 'replied' and 'unreplied'.
> +
> .defining and assigning ct timeout policy
> ----------------------------------
> table ip filter {
> diff --git a/src/rule.c b/src/rule.c
> index c7bc6bcf3496..b1700c40079d 100644
> --- a/src/rule.c
> +++ b/src/rule.c
> @@ -72,7 +72,7 @@ static uint32_t tcp_dflt_timeout[] = {
>
> static uint32_t udp_dflt_timeout[] = {
> [NFTNL_CTTIMEOUT_UDP_UNREPLIED] = 30,
> - [NFTNL_CTTIMEOUT_UDP_REPLIED] = 180,
> + [NFTNL_CTTIMEOUT_UDP_REPLIED] = 120,
> };
>
> struct timeout_protocol timeout_protocol[IPPROTO_MAX] = {
> --
> 2.32.0
>
