sphinx.addnodesdocument)}( rawsourcechildren]( translations LanguagesNode)}(hhh](h pending_xref)}(hhh]docutils.nodesTextChinese (Simplified)}parenthsba attributes}(ids]classes]names]dupnames]backrefs] refdomainstdreftypedoc reftarget2/translations/zh_CN/networking/nf_conntrack-sysctlmodnameN classnameN refexplicitutagnamehhh ubh)}(hhh]hChinese (Traditional)}hh2sbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget2/translations/zh_TW/networking/nf_conntrack-sysctlmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hItalian}hhFsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget2/translations/it_IT/networking/nf_conntrack-sysctlmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hJapanese}hhZsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget2/translations/ja_JP/networking/nf_conntrack-sysctlmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hKorean}hhnsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget2/translations/ko_KR/networking/nf_conntrack-sysctlmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hSpanish}hhsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget2/translations/sp_SP/networking/nf_conntrack-sysctlmodnameN classnameN refexplicituh1hhh ubeh}(h]h ]h"]h$]h&]current_languageEnglishuh1h hh _documenthsourceNlineNubhcomment)}(h SPDX-License-Identifier: GPL-2.0h]h SPDX-License-Identifier: GPL-2.0}hhsbah}(h]h ]h"]h$]h&] xml:spacepreserveuh1hhhhhhL/var/lib/git/docbuild/linux/Documentation/networking/nf_conntrack-sysctl.rsthKubhsection)}(hhh](htitle)}(h#Netfilter Conntrack Sysfs variablesh]h#Netfilter Conntrack Sysfs variables}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhhhhhKubh)}(hhh](h)}(h1/proc/sys/net/netfilter/nf_conntrack_* Variables:h]h1/proc/sys/net/netfilter/nf_conntrack_* Variables:}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhhhhhKubhdefinition_list)}(hhh](hdefinition_list_item)}(hnf_conntrack_acct - BOOLEAN - 0 - disabled (default) - not 0 - enabled Enable connection tracking flow accounting. 64-bit byte and packet counters per flow are added. h](hterm)}(hnf_conntrack_acct - BOOLEANh]hnf_conntrack_acct - BOOLEAN}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhhubh definition)}(hhh](h bullet_list)}(hhh](h list_item)}(h0 - disabled (default)h]h paragraph)}(hjh]h0 - disabled (default)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK hjubah}(h]h ]h"]h$]h&]uh1hhhubj)}(hnot 0 - enabled h]j)}(hnot 0 - enabledh]hnot 0 - enabled}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK hjubah}(h]h ]h"]h$]h&]uh1hhhubeh}(h]h ]h"]h$]h&]bullet-uh1hhhhK hhubj)}(h_Enable connection tracking flow accounting. 64-bit byte and packet counters per flow are added.h]h_Enable connection tracking flow accounting. 64-bit byte and packet counters per flow are added.}(hj:hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhhubeh}(h]h ]h"]h$]h&]uh1hhhubeh}(h]h ]h"]h$]h&]uh1hhhhKhhubh)}(hX\nf_conntrack_buckets - INTEGER Size of hash table. If not specified as parameter during module loading, the default size is calculated by dividing total memory by 16384 to determine the number of buckets. The hash table will never have fewer than 1024 and never more than 262144 buckets. This sysctl is only writeable in the initial net namespace. h](h)}(hnf_conntrack_buckets - INTEGERh]hnf_conntrack_buckets - INTEGER}(hjXhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjTubh)}(hhh]j)}(hX<Size of hash table. If not specified as parameter during module loading, the default size is calculated by dividing total memory by 16384 to determine the number of buckets. The hash table will never have fewer than 1024 and never more than 262144 buckets. This sysctl is only writeable in the initial net namespace.h]hX<Size of hash table. If not specified as parameter during module loading, the default size is calculated by dividing total memory by 16384 to determine the number of buckets. The hash table will never have fewer than 1024 and never more than 262144 buckets. This sysctl is only writeable in the initial net namespace.}(hjihhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjfubah}(h]h ]h"]h$]h&]uh1hhjTubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hnf_conntrack_checksum - BOOLEAN - 0 - disabled - not 0 - enabled (default) Verify checksum of incoming packets. Packets with bad checksums are in INVALID state. If this is enabled, such packets will not be considered for connection tracking. h](h)}(hnf_conntrack_checksum - BOOLEANh]hnf_conntrack_checksum - BOOLEAN}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjubh)}(hhh](h)}(hhh](j)}(h 0 - disabledh]j)}(hjh]h 0 - disabled}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjubah}(h]h ]h"]h$]h&]uh1hhjubj)}(hnot 0 - enabled (default) h]j)}(hnot 0 - enabled (default)h]hnot 0 - enabled (default)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjubah}(h]h ]h"]h$]h&]uh1hhjubeh}(h]h ]h"]h$]h&]j8j9uh1hhhhKhjubj)}(hVerify checksum of incoming packets. Packets with bad checksums are in INVALID state. If this is enabled, such packets will not be considered for connection tracking.h]hVerify checksum of incoming packets. Packets with bad checksums are in INVALID state. If this is enabled, such packets will not be considered for connection tracking.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjubeh}(h]h ]h"]h$]h&]uh1hhjubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hUnf_conntrack_count - INTEGER (read-only) Number of currently allocated flow entries. h](h)}(h(nf_conntrack_count - INTEGER (read-only)h]h(nf_conntrack_count - INTEGER (read-only)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK!hjubh)}(hhh]j)}(h+Number of currently allocated flow entries.h]h+Number of currently allocated flow entries.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK!hjubah}(h]h ]h"]h$]h&]uh1hhjubeh}(h]h ]h"]h$]h&]uh1hhhhK!hhhhubh)}(hX,nf_conntrack_events - BOOLEAN - 0 - disabled - 1 - enabled - 2 - auto (default) If this option is enabled, the connection tracking code will provide userspace with connection tracking events via ctnetlink. The default allocates the extension if a userspace program is listening to ctnetlink events. h](h)}(hnf_conntrack_events - BOOLEANh]hnf_conntrack_events - BOOLEAN}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK+hjubh)}(hhh](h)}(hhh](j)}(h 0 - disabledh]j)}(hj3h]h 0 - disabled}(hj5hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK$hj1ubah}(h]h ]h"]h$]h&]uh1hhj.ubj)}(h 1 - enabledh]j)}(hjJh]h 1 - enabled}(hjLhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK%hjHubah}(h]h ]h"]h$]h&]uh1hhj.ubj)}(h2 - auto (default) h]j)}(h2 - auto (default)h]h2 - auto (default)}(hjchhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK&hj_ubah}(h]h ]h"]h$]h&]uh1hhj.ubeh}(h]h ]h"]h$]h&]j8j9uh1hhhhK$hj+ubj)}(hIf this option is enabled, the connection tracking code will provide userspace with connection tracking events via ctnetlink. The default allocates the extension if a userspace program is listening to ctnetlink events.h]hIf this option is enabled, the connection tracking code will provide userspace with connection tracking events via ctnetlink. The default allocates the extension if a userspace program is listening to ctnetlink events.}(hj}hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK(hj+ubeh}(h]h ]h"]h$]h&]uh1hhjubeh}(h]h ]h"]h$]h&]uh1hhhhK+hhhhubh)}(hnf_conntrack_expect_max - INTEGER Maximum size of expectation table. Default value is nf_conntrack_buckets / 256. Minimum is 1. h](h)}(h!nf_conntrack_expect_max - INTEGERh]h!nf_conntrack_expect_max - INTEGER}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK/hjubh)}(hhh]j)}(h^Maximum size of expectation table. Default value is nf_conntrack_buckets / 256. Minimum is 1.h]h^Maximum size of expectation table. Default value is nf_conntrack_buckets / 256. Minimum is 1.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK.hjubah}(h]h ]h"]h$]h&]uh1hhjubeh}(h]h ]h"]h$]h&]uh1hhhhK/hhhhubh)}(hXnf_conntrack_frag6_high_thresh - INTEGER default 262144 Maximum memory used to reassemble IPv6 fragments. When nf_conntrack_frag6_high_thresh bytes of memory is allocated for this purpose, the fragment handler will toss packets until nf_conntrack_frag6_low_thresh is reached. h](h)}(h(nf_conntrack_frag6_high_thresh - INTEGERh]h(nf_conntrack_frag6_high_thresh - INTEGER}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK7hjubh)}(hhh](j)}(hdefault 262144h]hdefault 262144}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK2hjubj)}(hMaximum memory used to reassemble IPv6 fragments. When nf_conntrack_frag6_high_thresh bytes of memory is allocated for this purpose, the fragment handler will toss packets until nf_conntrack_frag6_low_thresh is reached.h]hMaximum memory used to reassemble IPv6 fragments. When nf_conntrack_frag6_high_thresh bytes of memory is allocated for this purpose, the fragment handler will toss packets until nf_conntrack_frag6_low_thresh is reached.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK4hjubeh}(h]h ]h"]h$]h&]uh1hhjubeh}(h]h ]h"]h$]h&]uh1hhhhK7hhhhubh)}(hZnf_conntrack_frag6_low_thresh - INTEGER default 196608 See nf_conntrack_frag6_low_thresh h](h)}(h'nf_conntrack_frag6_low_thresh - INTEGERh]h'nf_conntrack_frag6_low_thresh - INTEGER}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKuhj:ubah}(h]h ]h"]h$]h&]uh1hhj7ubj)}(hnot 0 - enabled (default) h]j)}(hnot 0 - enabled (default)h]hnot 0 - enabled (default)}(hjUhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKvhjQubah}(h]h ]h"]h$]h&]uh1hhj7ubeh}(h]h ]h"]h$]h&]j8j9uh1hhhhKuhj4ubj)}(hLIf it is set to zero, we disable picking up already established connections.h]hLIf it is set to zero, we disable picking up already established connections.}(hjohhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKxhj4ubeh}(h]h ]h"]h$]h&]uh1hhj"ubeh}(h]h ]h"]h$]h&]uh1hhhhKyhhhhubh)}(hnf_conntrack_tcp_max_retrans - INTEGER default 3 Maximum number of packets that can be retransmitted without received an (acceptable) ACK from the destination. If this number is reached, a shorter timer will be started. h](h)}(h&nf_conntrack_tcp_max_retrans - INTEGERh]h&nf_conntrack_tcp_max_retrans - INTEGER}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjubh)}(hhh](j)}(h default 3h]h default 3}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK|hjubj)}(hMaximum number of packets that can be retransmitted without received an (acceptable) ACK from the destination. If this number is reached, a shorter timer will be started.h]hMaximum number of packets that can be retransmitted without received an (acceptable) ACK from the destination. If this number is reached, a shorter timer will be started.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK~hjubeh}(h]h ]h"]h$]h&]uh1hhjubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(h>nf_conntrack_tcp_timeout_close - INTEGER (seconds) default 10 h](h)}(h2nf_conntrack_tcp_timeout_close - INTEGER (seconds)h]h2nf_conntrack_tcp_timeout_close - INTEGER (seconds)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjubh)}(hhh]j)}(h default 10h]h default 10}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjubah}(h]h ]h"]h$]h&]uh1hhjubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hCnf_conntrack_tcp_timeout_close_wait - INTEGER (seconds) default 60 h](h)}(h7nf_conntrack_tcp_timeout_close_wait - INTEGER (seconds)h]h7nf_conntrack_tcp_timeout_close_wait - INTEGER (seconds)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjubh)}(hhh]j)}(h default 60h]h default 60}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjubah}(h]h ]h"]h$]h&]uh1hhjubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hQnf_conntrack_tcp_timeout_established - INTEGER (seconds) default 432000 (5 days) h](h)}(h8nf_conntrack_tcp_timeout_established - INTEGER (seconds)h]h8nf_conntrack_tcp_timeout_established - INTEGER (seconds)}(hj(hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj$ubh)}(hhh]j)}(hdefault 432000 (5 days)h]hdefault 432000 (5 days)}(hj9hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhj6ubah}(h]h ]h"]h$]h&]uh1hhj$ubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hBnf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds) default 120 h](h)}(h5nf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds)h]h5nf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds)}(hjWhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjSubh)}(hhh]j)}(h default 120h]h default 120}(hjhhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjeubah}(h]h ]h"]h$]h&]uh1hhjSubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hAnf_conntrack_tcp_timeout_last_ack - INTEGER (seconds) default 30 h](h)}(h5nf_conntrack_tcp_timeout_last_ack - INTEGER (seconds)h]h5nf_conntrack_tcp_timeout_last_ack - INTEGER (seconds)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjubh)}(hhh]j)}(h default 30h]h default 30}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjubah}(h]h ]h"]h$]h&]uh1hhjubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hEnf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds) default 300 h](h)}(h8nf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds)h]h8nf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjubh)}(hhh]j)}(h default 300h]h default 300}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjubah}(h]h ]h"]h$]h&]uh1hhjubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hAnf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds) default 60 h](h)}(h5nf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds)h]h5nf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjubh)}(hhh]j)}(h default 60h]h default 60}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjubah}(h]h ]h"]h$]h&]uh1hhjubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hBnf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds) default 120 h](h)}(h5nf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds)h]h5nf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjubh)}(hhh]j)}(h default 120h]h default 120}(hj$hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhj!ubah}(h]h ]h"]h$]h&]uh1hhjubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hCnf_conntrack_tcp_timeout_time_wait - INTEGER (seconds) default 120 h](h)}(h6nf_conntrack_tcp_timeout_time_wait - INTEGER (seconds)h]h6nf_conntrack_tcp_timeout_time_wait - INTEGER (seconds)}(hjBhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj>ubh)}(hhh]j)}(h default 120h]h default 120}(hjShhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjPubah}(h]h ]h"]h$]h&]uh1hhj>ubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hHnf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds) default 300 h](h)}(h;nf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds)h]h;nf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds)}(hjqhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjmubh)}(hhh]j)}(h default 300h]h default 300}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjubah}(h]h ]h"]h$]h&]uh1hhjmubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(h{nf_conntrack_timestamp - BOOLEAN - 0 - disabled (default) - not 0 - enabled Enable connection tracking flow timestamping. h](h)}(h nf_conntrack_timestamp - BOOLEANh]h nf_conntrack_timestamp - BOOLEAN}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjubh)}(hhh](h)}(hhh](j)}(h0 - disabled (default)h]j)}(hjh]h0 - disabled (default)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjubah}(h]h ]h"]h$]h&]uh1hhjubj)}(hnot 0 - enabled h]j)}(hnot 0 - enabledh]hnot 0 - enabled}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjubah}(h]h ]h"]h$]h&]uh1hhjubeh}(h]h ]h"]h$]h&]j8j9uh1hhhhKhjubj)}(h-Enable connection tracking flow timestamping.h]h-Enable connection tracking flow timestamping.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjubeh}(h]h ]h"]h$]h&]uh1hhjubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(h@nf_conntrack_sctp_timeout_closed - INTEGER (seconds) default 10 h](h)}(h4nf_conntrack_sctp_timeout_closed - INTEGER (seconds)h]h4nf_conntrack_sctp_timeout_closed - INTEGER (seconds)}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj ubh)}(hhh]j)}(h default 10h]h default 10}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhj ubah}(h]h ]h"]h$]h&]uh1hhj ubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hDnf_conntrack_sctp_timeout_cookie_wait - INTEGER (seconds) default 3 h](h)}(h9nf_conntrack_sctp_timeout_cookie_wait - INTEGER (seconds)h]h9nf_conntrack_sctp_timeout_cookie_wait - INTEGER (seconds)}(hj6 hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj2 ubh)}(hhh]j)}(h default 3h]h default 3}(hjG hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjD ubah}(h]h ]h"]h$]h&]uh1hhj2 ubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hFnf_conntrack_sctp_timeout_cookie_echoed - INTEGER (seconds) default 3 h](h)}(h;nf_conntrack_sctp_timeout_cookie_echoed - INTEGER (seconds)h]h;nf_conntrack_sctp_timeout_cookie_echoed - INTEGER (seconds)}(hje hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhja ubh)}(hhh]j)}(h default 3h]h default 3}(hjv hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjs ubah}(h]h ]h"]h$]h&]uh1hhja ubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hnf_conntrack_sctp_timeout_established - INTEGER (seconds) default 210 Default is set to (hb_interval * path_max_retrans + rto_max) h](h)}(h9nf_conntrack_sctp_timeout_established - INTEGER (seconds)h]h9nf_conntrack_sctp_timeout_established - INTEGER (seconds)}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj ubh)}(hhh](j)}(h default 210h]h default 210}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhj ubj)}(h