From patchwork Wed Jan 16 14:56:33 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jiri Pirko <jiri@resnulli.us>
X-Patchwork-Id: 212546
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 1659C2C0080
	for <incoming@patchwork.ozlabs.org>;
	Thu, 17 Jan 2013 01:56:46 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753230Ab3APO4n (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Wed, 16 Jan 2013 09:56:43 -0500
Received: from mail-wi0-f175.google.com ([209.85.212.175]:39302 "EHLO
	mail-wi0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751969Ab3APO4m (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Wed, 16 Jan 2013 09:56:42 -0500
X-Greylist: delayed 4750 seconds by postgrey-1.27 at vger.kernel.org;
	Wed, 16 Jan 2013 09:56:42 EST
Received: by mail-wi0-f175.google.com with SMTP id hm11so3530786wib.8
	for <netfilter-devel@vger.kernel.org>;
	Wed, 16 Jan 2013 06:56:39 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=x-received:from:to:cc:subject:date:message-id:x-mailer
	:x-gm-message-state;
	bh=jsJOqTip9blcoO4H9XZqFjIZHqCDPEai03FnXA81qr4=;
	b=IOv4xvKEOyFxqtYIvFSFvZFHVmlQMEFMv0yMsf7Js8eP64DOSXb2gXjSif7zU59Gow
	WbTTf1F82AsNbBse1n+OCHv3FUrII3ZG5MJkMEG5ECgC1KubfTlXzZLn5hhT61kyn0d/
	/WlbV3gHt56drz6cX0HzY1k7MWP8CKAClyLm5k5pmVo39O7U8CY5THRsA04JYAWGI9wR
	EqwjCJNyDox57Juxr8G2JSlX3rOg9mDxdv88IMt69PlHEVjupUzB8tCed0WZUIIKOe6S
	kJm4HHG4Cg04pQL4T/IoAx6CsbvMNaHOvKDRVZLNh5ZQtSumsqyUALiNztE6nVJVQ2ab
	H2CA==
X-Received: by 10.180.96.225 with SMTP id dv1mr11372371wib.0.1358348198829;
	Wed, 16 Jan 2013 06:56:38 -0800 (PST)
Received: from localhost (ip-94-112-98-141.net.upcbroadband.cz.
	[94.112.98.141])
	by mx.google.com with ESMTPS id t17sm9461739wiv.6.2013.01.16.06.56.36
	(version=TLSv1.2 cipher=RC4-SHA bits=128/128);
	Wed, 16 Jan 2013 06:56:37 -0800 (PST)
From: Jiri Pirko <jiri@resnulli.us>
To: netdev@vger.kernel.org
Cc: davem@davemloft.net, rob@landley.net, linux-doc@vger.kernel.org,
	kuznet@ms2.inr.ac.ru, jmorris@namei.org, yoshfuji@linux-ipv6.org,
	pablo@netfilter.org, netfilter-devel@vger.kernel.org,
	netfilter@vger.kernel.org, coreteam@netfilter.org, fw@strlen.de
Subject: [patch net-next v2] doc: add nf_conntrack sysctl api documentation
Date: Wed, 16 Jan 2013 15:56:33 +0100
Message-Id: <1358348193-2201-1-git-send-email-jiri@resnulli.us>
X-Mailer: git-send-email 1.8.1
X-Gm-Message-State: 
 ALoCoQl98Wr4V7tZGAnAKOlgCElxnbm6wBpQlnYp68I8QoUG4TN1vTWNV6WCul4fcA+3o7CNutxp
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

I grepped through the code and picked bits about nf_conntrack sysctl api
and put that into one documentation file.

Signed-off-by: Jiri Pirko <jiri@resnulli.us>
---

v1->v2:
processed in changes suggested by Florian Westphal

 Documentation/networking/nf_conntrack-sysctl.txt | 172 +++++++++++++++++++++++
 1 file changed, 172 insertions(+)
 create mode 100644 Documentation/networking/nf_conntrack-sysctl.txt

diff --git a/Documentation/networking/nf_conntrack-sysctl.txt b/Documentation/networking/nf_conntrack-sysctl.txt
new file mode 100644
index 0000000..61b66e6
--- /dev/null
+++ b/Documentation/networking/nf_conntrack-sysctl.txt
@@ -0,0 +1,172 @@
+/proc/sys/net/netfilter/nf_conntrack_* Variables:
+
+nf_conntrack_acct - BOOLEAN
+	0 - disabled (default)
+	not 0 - enabled
+
+	Enable connection tracking flow accounting.
+
+nf_conntrack_buckets - INTEGER (read-only)
+	Size of hash table. Value is computed in nf_conntrack_init_init_net()
+	and it basically depends on total memory size.
+
+nf_conntrack_checksum - BOOLEAN
+	0 - disabled
+	not 0 - enabled (default)
+
+	Verify checksum of incoming packets.  Packets with bad checksum
+	will not be considered for connection tracking, i.e. such packets
+	will be in INVALID state.
+
+nf_conntrack_count - INTEGER (read-only)
+	Number of currently allocated conntracks.
+
+nf_conntrack_events - BOOLEAN
+	0 - disabled
+	not 0 - enabled (default)
+
+	If this option is enabled, the connection tracking code will
+	provide userspace with connection tracking events via ctnetlink.
+
+nf_conntrack_events_retry_timeout - INTEGER (seconds)
+	default 15
+
+	This option is only relevant when "reliable connection tracking
+	events" are used.  Normally, ctnetlink is "lossy", i.e. when
+	userspace listeners can't keep up, events are dropped.
+
+	Userspace can request "reliable event mode".  When this mode is
+	active, the conntrack will only be destroyed after the event was
+	delivered.  If event delivery fails, the kernel periodically
+	re-tries to send the event to userspace.
+
+	This is the maximum interval the kernel should use when re-trying
+	to deliver the destroy event.
+
+	Higher number means less delivery re-tries (but it will then take
+	longer for a backlog to be processed).
+
+nf_conntrack_expect_max - INTEGER
+	Maximum size of expectation table.  Default value is computed in
+	nf_conntrack_expect_init() and depends on nf_conntrack_buckets value.
+
+nf_conntrack_frag6_high_thresh - INTEGER
+	default 262144
+
+	Maximum memory used to reassemble IPv6 fragments.  When
+	nf_conntrack_frag6_high_thresh bytes of memory is allocated for this
+	purpose, the fragment handler will toss packets until
+	nf_conntrack_frag6_low_thresh is reached.
+
+nf_conntrack_frag6_low_thresh - INTEGER
+	default 196608
+
+	See nf_conntrack_frag6_low_thresh
+
+nf_conntrack_frag6_timeout - INTEGER (seconds)
+	default 60
+
+	Time to keep an IPv6 fragment in memory.
+
+nf_conntrack_generic_timeout - INTEGER (seconds)
+	default 600
+
+	Default for generic timeout.
+
+nf_conntrack_helper - BOOLEAN
+	0 - disabled
+	not 0 - enabled (default)
+
+	Enable automatic conntrack helper assignment.
+
+nf_conntrack_icmp_timeout - INTEGER (seconds)
+	default 30
+
+	Default for ICMP timeout.
+
+nf_conntrack_icmpv6_timeout - INTEGER (seconds)
+	default 30
+
+	Default for ICMP6 timeout.
+
+nf_conntrack_log_invalid - INTEGER
+	0   - disable (default)
+	1   - log ICMP packets
+	6   - log TCP packets
+	17  - log UDP packets
+	33  - log DCCP packets
+	41  - log ICMPv6 packets
+	136 - log UDPLITE packets
+	255 - log packets of any protocol
+
+	Log invalid packets of a type specified by value.
+
+nf_conntrack_max - INTEGER
+	Size of connection tracking table.  Default value is computed in
+	nf_conntrack_init_init_net() and depends on nf_conntrack_buckets value.
+
+nf_conntrack_tcp_be_liberal - BOOLEAN
+	0 - disabled (default)
+	not 0 - enabled
+
+	Be conservative in what you do, be liberal in what you accept from others.
+	If it's non-zero, we mark only out of window RST segments as INVALID.
+
+nf_conntrack_tcp_loose - BOOLEAN
+	0 - disabled
+	not 0 - enabled (default)
+
+	If it is set to zero, we disable picking up already established
+	connections.
+
+nf_conntrack_tcp_max_retrans - INTEGER
+	default 3
+
+	Max number of the retransmitted packets without receiving an
+	(acceptable) ACK from the destination.  If this number is reached,
+	a shorter timer will be started.
+
+nf_conntrack_tcp_timeout_close - INTEGER (seconds)
+	default 10
+
+nf_conntrack_tcp_timeout_close_wait - INTEGER (seconds)
+	default 60
+
+nf_conntrack_tcp_timeout_established - INTEGER (seconds)
+	default 432000 (5 days)
+
+nf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds)
+	default 120
+
+nf_conntrack_tcp_timeout_last_ack - INTEGER (seconds)
+	default 30
+
+nf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds)
+	default 300
+
+nf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds)
+	default 60
+
+nf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds)
+	default 120
+
+nf_conntrack_tcp_timeout_time_wait - INTEGER (seconds)
+	default 120
+
+nf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds)
+	default 300
+
+nf_conntrack_timestamp - BOOLEAN
+	0 - disabled (default)
+	not 0 - enabled
+
+	Enable connection tracking flow timestamping.
+
+nf_conntrack_udp_timeout - INTEGER (seconds)
+	default 30
+
+nf_conntrack_udp_timeout_stream2 - INTEGER (seconds)
+	default 180
+
+	This extended timeout will be used in case there is an UDP stream
+	detected.