target for modifying conntrack timeout value

Patrick Schaaf bof at bof.de
Wed Dec 1 08:00:26 CET 2004


Hello Richard,

> This would change the timeout value for all udp conntrack. I'd like to have
> more granular control, e.g. after match of certain ports or other
> conditions.

This does not exist, yet, for all I know.

It would require a new data field for each conntrack, "override_timeout".

And then, there would be the interesting question of what to do for
state changes. UDP is easy, but TCP has a load of states it goes
through when the session comes down. Each state transition is coupled
to a per-new-state timeout value. Now, if you give a specific override_timeout,
what to do with it when the next state transition occurs?

Finally, why do you think you need that? What is so special about your
setup that, after one UDP conntrack times out, the next packet for the
same pair of addresses cannot just create a new, equivalent conntrack?
That would be normal operation - what is different for you?

best regards
  Patrick



More information about the netfilter-devel mailing list