Re: nf_conntrack_max - Pablo Neira Ayuso

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter@vger.kernel.org
Subject: Re: nf_conntrack_max
Date: Thu, 1 Sep 2016 12:59:11 +0200	[thread overview]
Message-ID: <20160901105911.GA2779@salvia> (raw)
In-Reply-To: <20160831224731.GP28999@harrier.slackbuilds.org>

Hi,

On Wed, Aug 31, 2016 at 05:47:32PM -0500, /dev/rob0 wrote:
[...]
> One more thing I can add: I believe it is possible to set different 
> conntrack timeouts based on protocol/port. 

Right, this is possible.

> I don't know exactly how to do that, but it would make sense for
> udp/53 to shorten that to something like 15 seconds; just a bit
> beyond the nameservers' and resolver clients' timeout values.

Setting custom timeout policies per address/protocol/port (any
selector basically) is possible through -j CT --timeout name from the
raw table.

You have to create the timeout policy in first place through 'nfct'
that comes in the conntrack-tools package. I think there are examples
for this already, otherwise let me know and we can place it on the
manpage.

Now that nft has come, the plan is to unify all these command line
tools such as conntrack and nfct into nft, so we end up using one
single tool to interface with the netfilter subsystem in the future.

next prev parent reply	other threads:[~2016-09-01 10:59 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-08-31 22:15 nf_conntrack_max John Ratliff
2016-08-31 22:47 ` nf_conntrack_max /dev/rob0
2016-09-01 10:59   ` Pablo Neira Ayuso [this message]
2016-09-01 15:18     ` nf_conntrack_max zrm
2016-09-01 17:05     ` nf_conntrack_max /dev/rob0
2016-09-02 15:05       ` nf_conntrack_max John Ratliff
2016-09-03 18:47         ` nf_conntrack_max John Ratliff
2016-09-05  9:33           ` nf_conntrack_max Pablo Neira Ayuso
2016-09-05 13:28             ` nf_conntrack_max /dev/rob0
2016-09-02  6:27 ` nf_conntrack_max André Paulsberg-Csibi (IBM Consultant)
2016-09-02 14:47   ` nf_conntrack_max zrm
2016-09-05  8:40     ` nf_conntrack_max André Paulsberg-Csibi (IBM Consultant)
2016-09-05 16:21       ` nf_conntrack_max zrm

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160901105911.GA2779@salvia \
    --to=pablo@netfilter.org \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox