diff options
Diffstat (limited to 'doc/stateful-objects.txt')
| -rw-r--r-- | doc/stateful-objects.txt | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/doc/stateful-objects.txt b/doc/stateful-objects.txt index 4972969e..00d3c5f1 100644 --- a/doc/stateful-objects.txt +++ b/doc/stateful-objects.txt @@ -77,13 +77,24 @@ per ct timeout comment field | string |================= +tcp connection state names that can have a specific timeout value are: + +'close', 'close_wait', 'established', 'fin_wait', 'last_ack', 'retrans', 'syn_recv', 'syn_sent', 'time_wait' and 'unack'. + +You can use 'sysctl -a |grep net.netfilter.nf_conntrack_tcp_timeout_' to view and change the system-wide defaults. +'ct timeout' allows for flow-specific settings, without changing the global timeouts. + +For example, tcp port 53 could have much lower settings than other traffic. + +udp state names that can have a specific timeout value are 'replied' and 'unreplied'. + .defining and assigning ct timeout policy ---------------------------------- table ip filter { ct timeout customtimeout { protocol tcp; l3proto ip - policy = { established: 120, close: 20 } + policy = { established: 2m, close: 20s } } chain output { |