* Conntrack timeout
@ 2006-11-09 14:09 mael.boutin
2006-11-09 14:51 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: mael.boutin @ 2006-11-09 14:09 UTC (permalink / raw)
To: netfilter-devel
Hi,
I wanted to know if it is possible to change the default
timeout for conntrack entries. And if a modification of these
timeout will not have border effects on other system features.
I noticed for example that the UDP timeout is set to 30
seconds if the connection is not assured and 180 in the other
case.
The problem i am facing is that i want to detect the end of a
connection as soon as possible and a delay of 1 or 2 minutes
is clearly not acceptable.
I found some conf files in /proc/sys/net/netfilter, however
not all the timeouts are represented
Thanks for your help,
Maël.
Accédez au courrier électronique de La Poste
sur www.laposte.net ou sur 3615 LAPOSTENET (0,34€ TTC /mn)
1 Giga de stockage gratuit – Antispam et antivirus intégrés
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Conntrack timeout
2006-11-09 14:09 mael.boutin
@ 2006-11-09 14:51 ` Pablo Neira Ayuso
0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2006-11-09 14:51 UTC (permalink / raw)
To: mael.boutin; +Cc: netfilter-devel, netfilter
Hi,
I've cc'ed this email to netfilter users mailling list since I think
that this question is not so related with the development.
mael.boutin wrote:
> I wanted to know if it is possible to change the default
> timeout for conntrack entries. And if a modification of these
> timeout will not have border effects on other system features.
You can change them via:
- /proc/sys/net/ipv4/netfilter/ip_conntrack_[tcp|udp]_*
- conntrack tool/libnetfilter_conntrack library
What do you mean with border effects? Of course the behaviour will
change, think about halted TCP connections for whatever reason, if the
timeout is higher then they will get stuck longer in the conntrack table.
> I noticed for example that the UDP timeout is set to 30
> seconds if the connection is not assured and 180 in the other
> case.
>
> The problem i am facing is that i want to detect the end of a
> connection as soon as possible and a delay of 1 or 2 minutes
> is clearly not acceptable.
>
> I found some conf files in /proc/sys/net/netfilter, however
> not all the timeouts are represented
Which timers are you referring to?
--
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Conntrack timeout
[not found] <J8GZ11$7A6D86EA0A1A0E5E6A1868598F117CEE@laposte.net>
@ 2006-11-10 0:37 ` Pablo Neira Ayuso
0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2006-11-10 0:37 UTC (permalink / raw)
To: mael.boutin@laposte.net; +Cc: Netfilter Development Mailinglist, netfilter
mael.boutin@laposte.net wrote:
>> You can change them via:
>> - /proc/sys/net/ipv4/netfilter/ip_conntrack_[tcp|udp]_*
>> - conntrack tool/libnetfilter_conntrack library
>
> In fact i m tracking ipv6 connections. Therefore the first one
> is not available (i m using nf_conntrack)
check /proc/sys/net/netfilter/nf_conntrack_*
--
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-11-10 0:37 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <J8GZ11$7A6D86EA0A1A0E5E6A1868598F117CEE@laposte.net>
2006-11-10 0:37 ` Conntrack timeout Pablo Neira Ayuso
2006-11-09 14:09 mael.boutin
2006-11-09 14:51 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.