On Mon, Sep 05, 2016 at 11:33:04AM +0200, Pablo Neira Ayuso wrote: > On Sat, Sep 03, 2016 at 02:47:08PM -0400, John Ratliff wrote: > > I have been able to raise the conntrack limits and the hashsize, > > but I don't know how to get a udp timeout policy yet. I'm using > > Debian 8 Jessie with nfct 1.42. > > > > $ nfct timeout add dns-udp inet udp established 15 close 1 close_wait 1 > > nfct v1.4.2: Wrong state name: `ESTABLISHED' for protocol `udp' > > UDP has two states, replied and unreplied, so this is: > > # nfct add timeout dns-udp inet udp replied 15 unreplied 1 Perhaps I am not understanding, but I think those numbers should possibly be reversed? "... replied 1 unreplied 15"? The goal being to hold the conntrack entry up to 15 seconds if we don't hear back from the query, but to clear it out quickly after we did. Would a "replied 0" be feasible, to get it out of conntrack right away? [snip] > That's it. If anyone gets some spare cycles, I'd appreciate if you > can contribute a patch to update the manpage so this information > is available there. I'm at work on it now, if uninterrupted (hah!) I should have it to you very soon. Thank you. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
