Re: [patch net-next] doc: add nf_conntrack sysctl api documentation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Wed, Jan 16, 2013 at 02:26:24PM CET, fw@xxxxxxxxx wrote:
>Jiri Pirko <jiri@xxxxxxxxxxx> wrote:
>> I grepped through the code and picked bits about nf_conntrack sysctl api
>> and put that into one documentation file.
>
>Thanks a lot for doing this.  A few comments/suggestions below.

Thanks for looking at this. I will process in your comments and send v2.

>
>> +nf_conntrack_checksum - BOOLEAN
>> +	0 - disabled
>> +	not 0 - enabled (default)
>> +
>> +	Enable connection tracking checksuming.
>
>Verify checksum of incoming packets.  Packets with bad checksum
>will not be considered for connection tracking, i.e. such packets
>will be in INVALID state.
>
>> +nf_conntrack_events - BOOLEAN
>> +	0 - disabled
>> +	not 0 - enabled (default)
>> +
>> +	If this option is enabled, the connection tracking code will provide
>> +	a notifier chain that can be used by other kernel code to get notified
>> +	about changes in the connection tracking state.
>
>If this option is enabled, the connection tracking code will
>provide userspace with connection tracking events via ctnetlink.
>
>[ The notifier call chain doesn't exist any more (ctnetlink was
>the only user). ]
>
>> +nf_conntrack_events_retry_timeout - INTEGER (seconds)
>> +	default 15
>> +
>> +	Timeout after which destroy event will be delivered.
>
>This option is only relevant when "reliable connection tracking
>events" are used.  Normally, ctnetlink is "lossy", i.e. when
>userspace listeners can't keep up, events are dropped.
>
>Userspace can request "reliable event mode".  When this mode is
>active, the conntrack will only be destroyed after the event was
>delivered.  If event delivery fails, the kernel periodically
>re-tries to send the event to userspace.
>
>This is the maximum interval the kernel should use when re-trying
>to deliver the destroy event.
>
>Higher number means less delivery re-tries (but it will then take
>longer for a backlog to be processed).
>
>> +nf_conntrack_log_invalid - INTEGER
>> +	0 - disabled (default)
>> +	IPPROTO_RAW (log packets of any proto)
>> +	IPPROTO_TCP
>> +	IPPROTO_ICMP
>> +	IPPROTO_ICMPV6
>> +	IPPROTO_DCCP
>> +	IPPROTO_UDP
>> +	IPPROTO_UDPLITE
>> +
>> +	For values, see <linux/in.h>
>> +
>> +	Log invalid packets of a type specified by value.
>
>I would write the numbers here, e.g:
>
>Log invalid packets of a type specified by protocol number.
>255 - log packets of any protocol
>6 - log tcp
>...
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux