cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

nf_conntrack-sysctl.rst (6214B)

      1.. SPDX-License-Identifier: GPL-2.0
      2
      3===================================
      4Netfilter Conntrack Sysfs variables
      5===================================
      6
      7/proc/sys/net/netfilter/nf_conntrack_* Variables:
      8=================================================
      9
     10nf_conntrack_acct - BOOLEAN
     11	- 0 - disabled (default)
     12	- not 0 - enabled
     13
     14	Enable connection tracking flow accounting. 64-bit byte and packet
     15	counters per flow are added.
     16
     17nf_conntrack_buckets - INTEGER
     18	Size of hash table. If not specified as parameter during module
     19	loading, the default size is calculated by dividing total memory
     20	by 16384 to determine the number of buckets. The hash table will
     21	never have fewer than 1024 and never more than 262144 buckets.
     22	This sysctl is only writeable in the initial net namespace.
     23
     24nf_conntrack_checksum - BOOLEAN
     25	- 0 - disabled
     26	- not 0 - enabled (default)
     27
     28	Verify checksum of incoming packets. Packets with bad checksums are
     29	in INVALID state. If this is enabled, such packets will not be
     30	considered for connection tracking.
     31
     32nf_conntrack_count - INTEGER (read-only)
     33	Number of currently allocated flow entries.
     34
     35nf_conntrack_events - BOOLEAN
     36	- 0 - disabled
     37	- 1 - enabled
     38	- 2 - auto (default)
     39
     40	If this option is enabled, the connection tracking code will
     41	provide userspace with connection tracking events via ctnetlink.
     42	The default allocates the extension if a userspace program is
     43	listening to ctnetlink events.
     44
     45nf_conntrack_expect_max - INTEGER
     46	Maximum size of expectation table.  Default value is
     47	nf_conntrack_buckets / 256. Minimum is 1.
     48
     49nf_conntrack_frag6_high_thresh - INTEGER
     50	default 262144
     51
     52	Maximum memory used to reassemble IPv6 fragments.  When
     53	nf_conntrack_frag6_high_thresh bytes of memory is allocated for this
     54	purpose, the fragment handler will toss packets until
     55	nf_conntrack_frag6_low_thresh is reached.
     56
     57nf_conntrack_frag6_low_thresh - INTEGER
     58	default 196608
     59
     60	See nf_conntrack_frag6_low_thresh
     61
     62nf_conntrack_frag6_timeout - INTEGER (seconds)
     63	default 60
     64
     65	Time to keep an IPv6 fragment in memory.
     66
     67nf_conntrack_generic_timeout - INTEGER (seconds)
     68	default 600
     69
     70	Default for generic timeout.  This refers to layer 4 unknown/unsupported
     71	protocols.
     72
     73nf_conntrack_helper - BOOLEAN
     74	- 0 - disabled (default)
     75	- not 0 - enabled
     76
     77	Enable automatic conntrack helper assignment.
     78	If disabled it is required to set up iptables rules to assign
     79	helpers to connections.  See the CT target description in the
     80	iptables-extensions(8) man page for further information.
     81
     82nf_conntrack_icmp_timeout - INTEGER (seconds)
     83	default 30
     84
     85	Default for ICMP timeout.
     86
     87nf_conntrack_icmpv6_timeout - INTEGER (seconds)
     88	default 30
     89
     90	Default for ICMP6 timeout.
     91
     92nf_conntrack_log_invalid - INTEGER
     93	- 0   - disable (default)
     94	- 1   - log ICMP packets
     95	- 6   - log TCP packets
     96	- 17  - log UDP packets
     97	- 33  - log DCCP packets
     98	- 41  - log ICMPv6 packets
     99	- 136 - log UDPLITE packets
    100	- 255 - log packets of any protocol
    101
    102	Log invalid packets of a type specified by value.
    103
    104nf_conntrack_max - INTEGER
    105        Maximum number of allowed connection tracking entries. This value is set
    106        to nf_conntrack_buckets by default.
    107        Note that connection tracking entries are added to the table twice -- once
    108        for the original direction and once for the reply direction (i.e., with
    109        the reversed address). This means that with default settings a maxed-out
    110        table will have a average hash chain length of 2, not 1.
    111
    112nf_conntrack_tcp_be_liberal - BOOLEAN
    113	- 0 - disabled (default)
    114	- not 0 - enabled
    115
    116	Be conservative in what you do, be liberal in what you accept from others.
    117	If it's non-zero, we mark only out of window RST segments as INVALID.
    118
    119nf_conntrack_tcp_ignore_invalid_rst - BOOLEAN
    120	- 0 - disabled (default)
    121	- 1 - enabled
    122
    123	If it's 1, we don't mark out of window RST segments as INVALID.
    124
    125nf_conntrack_tcp_loose - BOOLEAN
    126	- 0 - disabled
    127	- not 0 - enabled (default)
    128
    129	If it is set to zero, we disable picking up already established
    130	connections.
    131
    132nf_conntrack_tcp_max_retrans - INTEGER
    133	default 3
    134
    135	Maximum number of packets that can be retransmitted without
    136	received an (acceptable) ACK from the destination. If this number
    137	is reached, a shorter timer will be started.
    138
    139nf_conntrack_tcp_timeout_close - INTEGER (seconds)
    140	default 10
    141
    142nf_conntrack_tcp_timeout_close_wait - INTEGER (seconds)
    143	default 60
    144
    145nf_conntrack_tcp_timeout_established - INTEGER (seconds)
    146	default 432000 (5 days)
    147
    148nf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds)
    149	default 120
    150
    151nf_conntrack_tcp_timeout_last_ack - INTEGER (seconds)
    152	default 30
    153
    154nf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds)
    155	default 300
    156
    157nf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds)
    158	default 60
    159
    160nf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds)
    161	default 120
    162
    163nf_conntrack_tcp_timeout_time_wait - INTEGER (seconds)
    164	default 120
    165
    166nf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds)
    167	default 300
    168
    169nf_conntrack_timestamp - BOOLEAN
    170	- 0 - disabled (default)
    171	- not 0 - enabled
    172
    173	Enable connection tracking flow timestamping.
    174
    175nf_conntrack_udp_timeout - INTEGER (seconds)
    176	default 30
    177
    178nf_conntrack_udp_timeout_stream - INTEGER (seconds)
    179	default 120
    180
    181	This extended timeout will be used in case there is an UDP stream
    182	detected.
    183
    184nf_conntrack_gre_timeout - INTEGER (seconds)
    185	default 30
    186
    187nf_conntrack_gre_timeout_stream - INTEGER (seconds)
    188	default 180
    189
    190	This extended timeout will be used in case there is an GRE stream
    191	detected.
    192
    193nf_hooks_lwtunnel - BOOLEAN
    194	- 0 - disabled (default)
    195	- not 0 - enabled
    196
    197	If this option is enabled, the lightweight tunnel netfilter hooks are
    198	enabled. This option cannot be disabled once it is enabled.
    199
    200nf_flowtable_tcp_timeout - INTEGER (seconds)
    201        default 30
    202
    203        Control offload timeout for tcp connections.
    204        TCP connections may be offloaded from nf conntrack to nf flow table.
    205        Once aged, the connection is returned to nf conntrack with tcp pickup timeout.
    206
    207nf_flowtable_udp_timeout - INTEGER (seconds)
    208        default 30
    209
    210        Control offload timeout for udp connections.
    211        UDP connections may be offloaded from nf conntrack to nf flow table.
    212        Once aged, the connection is returned to nf conntrack with udp pickup timeout.