diff options
| -rw-r--r-- | doc/stateful-objects.txt | 11 | ||||
| -rw-r--r-- | src/rule.c | 2 |
2 files changed, 12 insertions, 1 deletions
diff --git a/doc/stateful-objects.txt b/doc/stateful-objects.txt index 4972969e..e3c79220 100644 --- a/doc/stateful-objects.txt +++ b/doc/stateful-objects.txt @@ -77,6 +77,17 @@ per ct timeout comment field | string |================= +tcp connection state names that can have a specific timeout value are: + +'close', 'close_wait', 'established', 'fin_wait', 'last_ack', 'retrans', 'syn_recv', 'syn_sent', 'time_wait' and 'unack'. + +You can use 'sysctl -a |grep net.netfilter.nf_conntrack_tcp_timeout_' to view and change the system-wide defaults. +'ct timeout' allows for flow-specific settings, without changing the global timeouts. + +For example, tcp port 53 could have much lower settings than other traffic. + +udp state names that can have a specific timeout value are 'replied' and 'unreplied'. + .defining and assigning ct timeout policy ---------------------------------- table ip filter { @@ -72,7 +72,7 @@ static uint32_t tcp_dflt_timeout[] = { static uint32_t udp_dflt_timeout[] = { [NFTNL_CTTIMEOUT_UDP_UNREPLIED] = 30, - [NFTNL_CTTIMEOUT_UDP_REPLIED] = 180, + [NFTNL_CTTIMEOUT_UDP_REPLIED] = 120, }; struct timeout_protocol timeout_protocol[IPPROTO_MAX] = { |