On Fri, 2009-10-16 at 14:26 +0200, Roderick Groesbeek wrote: > Thomas, > How 'scary' do you think it would be to set this on say: 75 seconds? > > [root@pollux net ]# cat > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established > 432000 > [root@pollux net ]# Depends on the other applications really. Probably you would not even notice it for ordinary Web & E-Mail stuff, for other applications (like SSH without keepalive) it could be quite annoying ;) Anyway, many home NAT routers have far lower timeout settings for "established connection but no data" scenarios to keep their tables from overflowing.. > And is this setting operational 'both ways' (too the masqued connection > and the internal connection)? AFAIK there is only one entry in the conntrack (=NAT) table for each TCP connection, right? I interpret nf_conntrack_tcp_timeout_established as meaning "no data was received from either end for this many seconds". > Know all about RTP/RTCP/RTSP/etc. > > We build H.323 applications too! :) > We even sell H.324m gateways, and build them for Tandberg (now Cisco): > http://www.triple-it.nl/wp-content/uploads/2009/03/factsheet_gateway.pdf > > It does look like that NF_CONNTRACK modules for H.323 and RTSP are still > pretty much unmaintained for Linux. > > For instance: > I had to patch & build the RTSP conntrack module for our pollux, it > didn't worked out of the box. If you do, why not contribute a fully kernel module. That's why it's lacking, since nobody with expertise in the area was willing to contribute some quality code ;)
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
