On Sat, Sep 03, 2016 at 02:47:08PM -0400, John Ratliff wrote:
> I have been able to raise the conntrack limits and the hashsize, but I don't
> know how to get a udp timeout policy yet. I'm using Debian 8 Jessie with
> nfct 1.42.
>
> $ nfct timeout add dns-udp inet udp established 15 close 1 close_wait 1
> nfct v1.4.2: Wrong state name: `ESTABLISHED' for protocol `udp'
UDP has two states, replied and unreplied, so this is:
# nfct add timeout dns-udp inet udp replied 15 unreplied 1
For TCP, states are:
syn_sent
syn_recv
established
fin_wait
close_wait
last_ack
time_wait
close
syn_sent2
retrans
unacknowledged
When the generic tracker is in place, you use "timeout", eg.
# nfct add timeout generic-timeout-policy inet generic timeout 15
For SCTP, states are:
closed
cookie_wait
cookie_eched
established
shutdown_sent
shutdown_recd
shutdown_ack_sent
For DCCP, states are:
request
respond
partopen
open
closereq
closing
timewait
For ICMP/v6, there is only one, so you use "timeout".
That's it. If anyone gets some spare cycles, I'd appreciate if you can
contribute a patch to update the manpage so this information is
available there.
You can use this to create your custom timeout policies. You can also
set global default timeouts via nfct:
# nfct default-set timeout inet tcp established 15
instead of using sysctl, just an alternative.
Thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
