[PATCH nf-next] netfilter: conntrack: udp: reduce default timeouts

Wed, 05 Dec 2018 22:04:32 -0800 

We have no explicit signal when a UDP stream has terminated, peers just
stop sending.

For unreplied UDP case, 10 seconds should be enough to cover
delayed replies, and for suspected stream connections a timeout
of two minutes is sane to keep NAT mapping alive a while longer.
It matches tcp conntracks 'timewait' default timeout value.

Signed-off-by: Florian Westphal <f...@strlen.de>
---
 Documentation/networking/nf_conntrack-sysctl.txt | 4 ++--
 net/netfilter/nf_conntrack_proto_udp.c           | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Documentation/networking/nf_conntrack-sysctl.txt 
b/Documentation/networking/nf_conntrack-sysctl.txt
index 1669dc2419fd..371b6260dcd5 100644
--- a/Documentation/networking/nf_conntrack-sysctl.txt
+++ b/Documentation/networking/nf_conntrack-sysctl.txt
@@ -154,10 +154,10 @@ nf_conntrack_timestamp - BOOLEAN
        Enable connection tracking flow timestamping.
 
 nf_conntrack_udp_timeout - INTEGER (seconds)
-       default 30
+       default 10
 
 nf_conntrack_udp_timeout_stream - INTEGER (seconds)
-       default 180
+       default 120
 
        This extended timeout will be used in case there is an UDP stream
        detected.
diff --git a/net/netfilter/nf_conntrack_proto_udp.c 
b/net/netfilter/nf_conntrack_proto_udp.c
index 76cee2fe3b1b..807389da42f4 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -28,8 +28,8 @@
 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
 
 static const unsigned int udp_timeouts[UDP_CT_MAX] = {
-       [UDP_CT_UNREPLIED]      = 30*HZ,
-       [UDP_CT_REPLIED]        = 180*HZ,
+       [UDP_CT_UNREPLIED]      = 10*HZ,
+       [UDP_CT_REPLIED]        = 120*HZ,
 };
 
 static unsigned int *udp_get_timeouts(struct net *net)
-- 
2.19.2

Reply via email to