* tcp & udp timeout hardcoding
@ 2003-11-17 14:42 xavier
2003-11-17 16:30 ` Antony Stone
2003-11-17 16:30 ` Eric Leblond
0 siblings, 2 replies; 5+ messages in thread
From: xavier @ 2003-11-17 14:42 UTC (permalink / raw)
To: netfilter-wool9L35kiczKOhml7GhPkB+6BGkLq7r
Hello,
I saw in the 2.4.22 kernel source :
/usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
static unsigned long tcp_timeouts[]
= { 30 MINS, /* TCP_CONNTRACK_NONE, */
5 DAYS, /* TCP_CONNTRACK_ESTABLISHED, */
2 MINS, /* TCP_CONNTRACK_SYN_SENT, */
60 SECS, /* TCP_CONNTRACK_SYN_RECV, */
2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */
2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */
10 SECS, /* TCP_CONNTRACK_CLOSE, */
60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */
30 SECS, /* TCP_CONNTRACK_LAST_ACK, */
2 MINS, /* TCP_CONNTRACK_LISTEN, */
};
ip_conntrack_proto_udp.c
#define UDP_TIMEOUT (30*HZ)
#define UDP_STREAM_TIMEOUT (180*HZ)
Is there any plan to be able to set thoses values throught /proc ?
in some cases a 5 days timeout on tcp connexions may be too long...
thanks
--
xavier
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: tcp & udp timeout hardcoding
2003-11-17 14:42 tcp & udp timeout hardcoding xavier
@ 2003-11-17 16:30 ` Antony Stone
2003-11-17 18:09 ` Ramin Dousti
2003-11-17 16:30 ` Eric Leblond
1 sibling, 1 reply; 5+ messages in thread
From: Antony Stone @ 2003-11-17 16:30 UTC (permalink / raw)
To: netfilter
On Monday 17 November 2003 2:42 pm, xavier wrote:
> Hello,
>
> I saw in the 2.4.22 kernel source :
>
> /usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
> static unsigned long tcp_timeouts[]
> = { 30 MINS, /* TCP_CONNTRACK_NONE, */
> 5 DAYS, /* TCP_CONNTRACK_ESTABLISHED, */
> 2 MINS, /* TCP_CONNTRACK_SYN_SENT, */
> 60 SECS, /* TCP_CONNTRACK_SYN_RECV, */
> 2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */
> 2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */
> 10 SECS, /* TCP_CONNTRACK_CLOSE, */
> 60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */
> 30 SECS, /* TCP_CONNTRACK_LAST_ACK, */
> 2 MINS, /* TCP_CONNTRACK_LISTEN, */
> };
>
> Is there any plan to be able to set thoses values throught /proc ?
>
> in some cases a 5 days timeout on tcp connexions may be too long...
These are the standard values according to the TCP RFCs. You can change
them on your machine if you like, but it involves a kernel recompile (or a
netfilter module recompile, if you use modules).
Note that you can adjust these sort of timings for the normal Linux TCP/IP
stack by writing to various things in /proc/sys/net/ipv4, but this doesn't
affect the netfilter connection racking table timeouts.
See /usr/src/linux/Documentation/networking/ip-sysctl.txt for more details.
Bear in mind that fiddling with this sort of stuff can break your network
connectivity and/or compatibility.
Regards,
Antony.
--
The first ninety percent of an engineering project takes ninety percent
of the time, and the last ten percent takes the remaining ninety percent.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: tcp & udp timeout hardcoding
2003-11-17 14:42 tcp & udp timeout hardcoding xavier
2003-11-17 16:30 ` Antony Stone
@ 2003-11-17 16:30 ` Eric Leblond
1 sibling, 0 replies; 5+ messages in thread
From: Eric Leblond @ 2003-11-17 16:30 UTC (permalink / raw)
To: xavier; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 441 bytes --]
Le lun 17/11/2003 à 15:42, xavier a écrit :
> Hello,
>
> I saw in the 2.4.22 kernel source :
>
> /usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
> Is there any plan to be able to set thoses values throught /proc ?
It is already available in P-O-M :
http://www.netfilter.org/documentation/pomlist/pom-combined.html#tcp-window-tracking
BR,
--
Eric Leblond
NuFW, Now User Filtering Works (http://www.nufw.org)
[-- Attachment #2: Ceci est une partie de message numériquement signée. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: tcp & udp timeout hardcoding
2003-11-17 18:09 ` Ramin Dousti
@ 2003-11-17 17:27 ` Antony Stone
0 siblings, 0 replies; 5+ messages in thread
From: Antony Stone @ 2003-11-17 17:27 UTC (permalink / raw)
To: netfilter
On Monday 17 November 2003 6:09 pm, Ramin Dousti wrote:
> On Mon, Nov 17, 2003 at 04:30:05PM +0000, Antony Stone wrote:
> > On Monday 17 November 2003 2:42 pm, xavier wrote:
> > > Hello,
> > >
> > > I saw in the 2.4.22 kernel source :
> > >
> > > /usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
> > > static unsigned long tcp_timeouts[]
> > > = { 30 MINS, /* TCP_CONNTRACK_NONE, */
> > > 5 DAYS, /* TCP_CONNTRACK_ESTABLISHED, */
> > > 2 MINS, /* TCP_CONNTRACK_SYN_SENT, */
> > > 60 SECS, /* TCP_CONNTRACK_SYN_RECV, */
> > > 2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */
> > > 2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */
> > > 10 SECS, /* TCP_CONNTRACK_CLOSE, */
> > > 60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */
> > > 30 SECS, /* TCP_CONNTRACK_LAST_ACK, */
> > > 2 MINS, /* TCP_CONNTRACK_LISTEN, */
> > > };
> > >
> > > Is there any plan to be able to set thoses values throught /proc ?
> > >
> > > in some cases a 5 days timeout on tcp connexions may be too long...
> >
> > These are the standard values according to the TCP RFCs.
>
> Which RFC talks about TCP_CONNTRACK_ESTABLISHED, again? I don't think
> it's written yet ;-)
Agreed :) The above table is obviously an extended version of the timeouts
used in a normal TCP/IP stack, with the addition of things only needed for a
connection tracking system.
The timeouts are based, I believe, on RFC 793 (esp. the wonderful diagram on
page 23).
Antony.
--
Wanted: telepath. You know where to apply.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: tcp & udp timeout hardcoding
2003-11-17 16:30 ` Antony Stone
@ 2003-11-17 18:09 ` Ramin Dousti
2003-11-17 17:27 ` Antony Stone
0 siblings, 1 reply; 5+ messages in thread
From: Ramin Dousti @ 2003-11-17 18:09 UTC (permalink / raw)
To: Antony Stone; +Cc: netfilter
On Mon, Nov 17, 2003 at 04:30:05PM +0000, Antony Stone wrote:
> On Monday 17 November 2003 2:42 pm, xavier wrote:
>
> > Hello,
> >
> > I saw in the 2.4.22 kernel source :
> >
> > /usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
> > static unsigned long tcp_timeouts[]
> > = { 30 MINS, /* TCP_CONNTRACK_NONE, */
> > 5 DAYS, /* TCP_CONNTRACK_ESTABLISHED, */
> > 2 MINS, /* TCP_CONNTRACK_SYN_SENT, */
> > 60 SECS, /* TCP_CONNTRACK_SYN_RECV, */
> > 2 MINS, /* TCP_CONNTRACK_FIN_WAIT, */
> > 2 MINS, /* TCP_CONNTRACK_TIME_WAIT, */
> > 10 SECS, /* TCP_CONNTRACK_CLOSE, */
> > 60 SECS, /* TCP_CONNTRACK_CLOSE_WAIT, */
> > 30 SECS, /* TCP_CONNTRACK_LAST_ACK, */
> > 2 MINS, /* TCP_CONNTRACK_LISTEN, */
> > };
> >
> > Is there any plan to be able to set thoses values throught /proc ?
> >
> > in some cases a 5 days timeout on tcp connexions may be too long...
>
> These are the standard values according to the TCP RFCs.
Which RFC talks about TCP_CONNTRACK_ESTABLISHED, again? I don't think
it's written yet ;-)
Ramin
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2003-11-17 18:09 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-11-17 14:42 tcp & udp timeout hardcoding xavier
2003-11-17 16:30 ` Antony Stone
2003-11-17 18:09 ` Ramin Dousti
2003-11-17 17:27 ` Antony Stone
2003-11-17 16:30 ` Eric Leblond
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox