Wed, Jan 16, 2013 at 02:26:24PM CET, fw@xxxxxxxxx wrote: >Jiri Pirko <jiri@xxxxxxxxxxx> wrote: >> I grepped through the code and picked bits about nf_conntrack sysctl api >> and put that into one documentation file. > >Thanks a lot for doing this. A few comments/suggestions below. Thanks for looking at this. I will process in your comments and send v2. > >> +nf_conntrack_checksum - BOOLEAN >> + 0 - disabled >> + not 0 - enabled (default) >> + >> + Enable connection tracking checksuming. > >Verify checksum of incoming packets. Packets with bad checksum >will not be considered for connection tracking, i.e. such packets >will be in INVALID state. > >> +nf_conntrack_events - BOOLEAN >> + 0 - disabled >> + not 0 - enabled (default) >> + >> + If this option is enabled, the connection tracking code will provide >> + a notifier chain that can be used by other kernel code to get notified >> + about changes in the connection tracking state. > >If this option is enabled, the connection tracking code will >provide userspace with connection tracking events via ctnetlink. > >[ The notifier call chain doesn't exist any more (ctnetlink was >the only user). ] > >> +nf_conntrack_events_retry_timeout - INTEGER (seconds) >> + default 15 >> + >> + Timeout after which destroy event will be delivered. > >This option is only relevant when "reliable connection tracking >events" are used. Normally, ctnetlink is "lossy", i.e. when >userspace listeners can't keep up, events are dropped. > >Userspace can request "reliable event mode". When this mode is >active, the conntrack will only be destroyed after the event was >delivered. If event delivery fails, the kernel periodically >re-tries to send the event to userspace. > >This is the maximum interval the kernel should use when re-trying >to deliver the destroy event. > >Higher number means less delivery re-tries (but it will then take >longer for a backlog to be processed). > >> +nf_conntrack_log_invalid - INTEGER >> + 0 - disabled (default) >> + IPPROTO_RAW (log packets of any proto) >> + IPPROTO_TCP >> + IPPROTO_ICMP >> + IPPROTO_ICMPV6 >> + IPPROTO_DCCP >> + IPPROTO_UDP >> + IPPROTO_UDPLITE >> + >> + For values, see <linux/in.h> >> + >> + Log invalid packets of a type specified by value. > >I would write the numbers here, e.g: > >Log invalid packets of a type specified by protocol number. >255 - log packets of any protocol >6 - log tcp >... -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
