Skip to content

Commit

Permalink
netfilter: conntrack: udp: set stream timeout to 2 minutes
Browse files Browse the repository at this point in the history 
We have no explicit signal when a UDP stream has terminated, peers just
stop sending.

For suspected stream connections a timeout of two minutes is sane to keep
NAT mapping alive a while longer.

It matches tcp conntracks 'timewait' default timeout value.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  • Loading branch information
Florian Westphal authored and Pablo Neira Ayuso committed Dec 20, 2018
1 parent d535c8a commit 294304e
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion Documentation/networking/nf_conntrack-sysctl.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ nf_conntrack_udp_timeout - INTEGER (seconds)
default 30

nf_conntrack_udp_timeout_stream - INTEGER (seconds)
default 180
default 120

This extended timeout will be used in case there is an UDP stream
detected.
2 changes: 1 addition & 1 deletion net/netfilter/nf_conntrack_proto_udp.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@

static const unsigned int udp_timeouts[UDP_CT_MAX] = {
[UDP_CT_UNREPLIED] = 30*HZ,
[UDP_CT_REPLIED] = 180*HZ,
[UDP_CT_REPLIED] = 120*HZ,
};

static unsigned int *udp_get_timeouts(struct net *net)
Expand Down

0 comments on commit 294304e

Please sign in to comment.