mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity

netfilter: conntrack: udp: set stream timeout to 2 minutes 

We have no explicit signal when a UDP stream has terminated, peers just
stop sending.

For suspected stream connections a timeout of two minutes is sane to keep
NAT mapping alive a while longer.

It matches tcp conntracks 'timewait' default timeout value.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Florian Westphal 2018-12-18 00:05:29 +01:00 committed by Pablo Neira Ayuso
parent d535c8a69c
commit 294304e4c5
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Documentation/networking/nf_conntrack-sysctl.txt
View File

@ -157,7 +157,7 @@ nf_conntrack_udp_timeout - INTEGER (seconds)
default 30 default 30
nf_conntrack_udp_timeout_stream - INTEGER (seconds) nf_conntrack_udp_timeout_stream - INTEGER (seconds)
default 180 default 120
This extended timeout will be used in case there is an UDP stream This extended timeout will be used in case there is an UDP stream
detected. detected.

2
net/netfilter/nf_conntrack_proto_udp.c
View File

@ -29,7 +29,7 @@
static const unsigned int udp_timeouts[UDP_CT_MAX] = { static const unsigned int udp_timeouts[UDP_CT_MAX] = {
[UDP_CT_UNREPLIED] = 30*HZ, [UDP_CT_UNREPLIED] = 30*HZ,
[UDP_CT_REPLIED] = 180*HZ, [UDP_CT_REPLIED] = 120*HZ,
}; };
static unsigned int *udp_get_timeouts(struct net *net) static unsigned int *udp_get_timeouts(struct net *net)