1/proc/sys/net/netfilter/nf_conntrack_* Variables:
2
3nf_conntrack_acct - BOOLEAN
4	0 - disabled (default)
5	not 0 - enabled
6
7	Enable connection tracking flow accounting. 64-bit byte and packet
8	counters per flow are added.
9
10nf_conntrack_buckets - INTEGER
11	Size of hash table. If not specified as parameter during module
12	loading, the default size is calculated by dividing total memory
13	by 16384 to determine the number of buckets but the hash table will
14	never have fewer than 32 and limited to 16384 buckets. For systems
15	with more than 4GB of memory it will be 65536 buckets.
16	This sysctl is only writeable in the initial net namespace.
17
18nf_conntrack_checksum - BOOLEAN
19	0 - disabled
20	not 0 - enabled (default)
21
22	Verify checksum of incoming packets. Packets with bad checksums are
23	in INVALID state. If this is enabled, such packets will not be
24	considered for connection tracking.
25
26nf_conntrack_count - INTEGER (read-only)
27	Number of currently allocated flow entries.
28
29nf_conntrack_events - BOOLEAN
30	0 - disabled
31	not 0 - enabled (default)
32
33	If this option is enabled, the connection tracking code will
34	provide userspace with connection tracking events via ctnetlink.
35
36nf_conntrack_expect_max - INTEGER
37	Maximum size of expectation table.  Default value is
38	nf_conntrack_buckets / 256. Minimum is 1.
39
40nf_conntrack_frag6_high_thresh - INTEGER
41	default 262144
42
43	Maximum memory used to reassemble IPv6 fragments.  When
44	nf_conntrack_frag6_high_thresh bytes of memory is allocated for this
45	purpose, the fragment handler will toss packets until
46	nf_conntrack_frag6_low_thresh is reached.
47
48nf_conntrack_frag6_low_thresh - INTEGER
49	default 196608
50
51	See nf_conntrack_frag6_low_thresh
52
53nf_conntrack_frag6_timeout - INTEGER (seconds)
54	default 60
55
56	Time to keep an IPv6 fragment in memory.
57
58nf_conntrack_generic_timeout - INTEGER (seconds)
59	default 600
60
61	Default for generic timeout.  This refers to layer 4 unknown/unsupported
62	protocols.
63
64nf_conntrack_helper - BOOLEAN
65	0 - disabled (default)
66	not 0 - enabled
67
68	Enable automatic conntrack helper assignment.
69	If disabled it is required to set up iptables rules to assign
70	helpers to connections.  See the CT target description in the
71	iptables-extensions(8) man page for further information.
72
73nf_conntrack_icmp_timeout - INTEGER (seconds)
74	default 30
75
76	Default for ICMP timeout.
77
78nf_conntrack_icmpv6_timeout - INTEGER (seconds)
79	default 30
80
81	Default for ICMP6 timeout.
82
83nf_conntrack_log_invalid - INTEGER
84	0   - disable (default)
85	1   - log ICMP packets
86	6   - log TCP packets
87	17  - log UDP packets
88	33  - log DCCP packets
89	41  - log ICMPv6 packets
90	136 - log UDPLITE packets
91	255 - log packets of any protocol
92
93	Log invalid packets of a type specified by value.
94
95nf_conntrack_max - INTEGER
96	Size of connection tracking table.  Default value is
97	nf_conntrack_buckets value * 4.
98
99nf_conntrack_tcp_be_liberal - BOOLEAN
100	0 - disabled (default)
101	not 0 - enabled
102
103	Be conservative in what you do, be liberal in what you accept from others.
104	If it's non-zero, we mark only out of window RST segments as INVALID.
105
106nf_conntrack_tcp_loose - BOOLEAN
107	0 - disabled
108	not 0 - enabled (default)
109
110	If it is set to zero, we disable picking up already established
111	connections.
112
113nf_conntrack_tcp_max_retrans - INTEGER
114	default 3
115
116	Maximum number of packets that can be retransmitted without
117	received an (acceptable) ACK from the destination. If this number
118	is reached, a shorter timer will be started.
119
120nf_conntrack_tcp_timeout_close - INTEGER (seconds)
121	default 10
122
123nf_conntrack_tcp_timeout_close_wait - INTEGER (seconds)
124	default 60
125
126nf_conntrack_tcp_timeout_established - INTEGER (seconds)
127	default 432000 (5 days)
128
129nf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds)
130	default 120
131
132nf_conntrack_tcp_timeout_last_ack - INTEGER (seconds)
133	default 30
134
135nf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds)
136	default 300
137
138nf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds)
139	default 60
140
141nf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds)
142	default 120
143
144nf_conntrack_tcp_timeout_time_wait - INTEGER (seconds)
145	default 120
146
147nf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds)
148	default 300
149
150nf_conntrack_timestamp - BOOLEAN
151	0 - disabled (default)
152	not 0 - enabled
153
154	Enable connection tracking flow timestamping.
155
156nf_conntrack_udp_timeout - INTEGER (seconds)
157	default 30
158
159nf_conntrack_udp_timeout_stream - INTEGER (seconds)
160	default 180
161
162	This extended timeout will be used in case there is an UDP stream
163	detected.
164