src: increase default PurgeTimeout value

This patch increases the default PurgeTimeout value to 60 seconds.
The former 15 seconds provides good real-time reaction in terms of
user-side expected behaviour, but it is too small if you trigger
random failure in a firewall cluster.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

4 files changed, 17 insertions, 20 deletions

diff --git a/doc/sync/alarm/conntrackd.conf b/doc/sync/alarm/conntrackd.conf
index 3479a83..db7d99e 100644
--- a/doc/sync/alarm/conntrackd.conf
+++ b/doc/sync/alarm/conntrackd.conf
@@ -27,13 +27,12 @@ Sync {
 		#
 		# If the firewall replica goes from primary to backup,
 		# the conntrackd -t command is invoked in the script. 
-		# This command resets the timers of the conntracks that
-		# live in the kernel to this new value. This is useful
-		# to purge the connection tracking table of zombie entries
-		# and avoid clashes with old entries if you trigger 
-		# several consecutive hand-overs.
+		# This command schedules a flush of the table in N seconds.
+		# This is useful to purge the connection tracking table of
+		# zombie entries and avoid clashes with old entries if you
+		# trigger several consecutive hand-overs. Default is 60 seconds
 		#
-		PurgeTimeout 15
+		# PurgeTimeout 60
 	}
 
 	#
diff --git a/doc/sync/ftfw/conntrackd.conf b/doc/sync/ftfw/conntrackd.conf
index 4fd86d7..69572cf 100644
--- a/doc/sync/ftfw/conntrackd.conf
+++ b/doc/sync/ftfw/conntrackd.conf
@@ -24,13 +24,12 @@ Sync {
 		#
 		# If the firewall replica goes from primary to backup,
 		# the conntrackd -t command is invoked in the script. 
-		# This command resets the timers of the conntracks that
-		# live in the kernel to this new value. This is useful
-		# to purge the connection tracking table of zombie entries
-		# and avoid clashes with old entries if you trigger 
-		# several consecutive hand-overs.
+		# This command schedules a flush of the table in N seconds.
+		# This is useful to purge the connection tracking table of
+		# zombie entries and avoid clashes with old entries if you
+		# trigger several consecutive hand-overs. Default is 60 seconds.
 		#
-		PurgeTimeout 15
+		# PurgeTimeout 60
 
 		# Set the acknowledgement window size. If you decrease this
 		# value, the number of acknowlegdments increases. More
diff --git a/doc/sync/notrack/conntrackd.conf b/doc/sync/notrack/conntrackd.conf
index 5abf589..1df79a1 100644
--- a/doc/sync/notrack/conntrackd.conf
+++ b/doc/sync/notrack/conntrackd.conf
@@ -13,13 +13,12 @@ Sync {
 		#
 		# If the firewall replica goes from primary to backup,
 		# the conntrackd -t command is invoked in the script. 
-		# This command resets the timers of the conntracks that
-		# live in the kernel to this new value. This is useful
-		# to purge the connection tracking table of zombie entries
-		# and avoid clashes with old entries if you trigger 
-		# several consecutive hand-overs.
+		# This command schedules a flush of the table in N seconds.
+		# This is useful to purge the connection tracking table of
+		# zombie entries and avoid clashes with old entries if you
+		# trigger several consecutive hand-overs. Default is 60 seconds.
 		#
-		PurgeTimeout 15
+		# PurgeTimeout 60
 	}
 
 	#
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index 766d543..049896e 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -1141,9 +1141,9 @@ init_config(char *filename)
 	if (CONFIG(cache_timeout) == 0)
 		CONFIG(cache_timeout) = 180;
 
-	/* default to 15 seconds: purge kernel entries */
+	/* default to 60 seconds: purge kernel entries */
 	if (CONFIG(purge_timeout) == 0)
-		CONFIG(purge_timeout) = 15;
+		CONFIG(purge_timeout) = 60;
 
 	/* default to 60 seconds of refresh time */
 	if (CONFIG(refresh) == 0)