On Sat, May 10, 2008 at 10:56 AM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: > On a global scale you can set > /proc/sys/net/netfilter/nf_conntrack_generic_timeout . > There has been a module (or a group of them) called TIMEOUT or > actually CONNTRACK by Phil Oester and Pablo Neira Ayuso with which > you can set the ct timeout per connection. That's one way. > Another is to use the RAWNAT target. > But tc is an obscure thing. Again, thanks for the suggestion. Setting "nf_conntrack_generic_timeout" seems to work fine. For what concerns RAW table and NOTRACK target, i think that their main purpose is to completely skip CONNTRACK and NAT hooks, so no luck with them. For the sake of completeness, in newer kernels (2.6.23+ I think), a brand new stateless NAT has been added. The config option is NET_ACT_NAT, and it can be configured via "ip route add nat". However I think it's pointless to play with it now. Netfilter's NAT + nf_conntrack_generic_timeout are doing a good job. Cheers Andrea -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
