[pve-devel] [PATCH] add tunnable nf_conntrack_tcp_timeout_established value

Alexandre Derumier aderumier at odiso.com
Mon Apr 14 09:59:47 CEST 2014 

default nf_conntrack_tcp_timeout_established value is 5 days.

This is really huge, in case of a ddos attack for example

from:
https://dev.openwrt.org/ticket/12976

minimum value should be

"7875 seconds (= tcp_keepalive_time + tcp_keepalive_probes * tcp_keepalive_intvl = 7200 + 9 * 75 by default) to give the endpoints sufficient time to send keep-alive probes"

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 example/host.fw     |    3 +++
 src/PVE/Firewall.pm |   14 +++++++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/example/host.fw b/example/host.fw
index 4d86107..1bf6d86 100644
--- a/example/host.fw
+++ b/example/host.fw
@@ -15,6 +15,9 @@ policy_out: ACCEPT
 # allow more connections (default is 65536)
 nf_conntrack_max: 196608
 
+# reduce conntrack established timeout (default is 432000 - 5days)
+nf_conntrack_tcp_timeout_established: 7875
+
 # Enable firewall when bridges contains IP address.
 # The firewall is not fully functional in that case, so
 # you need to enable that explicitly
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 362dfbc..f68476f 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1859,7 +1859,7 @@ sub parse_hostfw_option {
     } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
 	$opt = lc($1);
 	$value = uc($3);
-    } elsif ($line =~ m/^(nf_conntrack_max):\s*(\d+)\s*$/i) {
+    } elsif ($line =~ m/^(nf_conntrack_max|nf_conntrack_tcp_timeout_established):\s*(\d+)\s*$/i) {
 	$opt = lc($1);
 	$value = int($2);
     } else {
@@ -2764,6 +2764,8 @@ sub apply_ruleset {
 
     update_nf_conntrack_max($hostfw_conf);
 
+    update_nf_conntrack_tcp_timeout_established($hostfw_conf);
+
     my ($ipset_create_cmdlist, $ipset_delete_cmdlist, $ipset_changes) =
 	get_ipset_cmdlist($ipset_ruleset, undef, $verbose);
 
@@ -2828,6 +2830,16 @@ sub update_nf_conntrack_max {
     }
 }
 
+sub update_nf_conntrack_tcp_timeout_established {
+    my ($hostfw_conf) = @_;
+
+    my $options = $hostfw_conf->{options} || {};
+
+    my $value = defined($options->{nf_conntrack_tcp_timeout_established}) ? $options->{nf_conntrack_tcp_timeout_established} : 432000;
+
+    PVE::ProcFSTools::write_proc_entry("/proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established", $value);
+}
+
 sub remove_pvefw_chains {
 
     my ($chash, $hooks) = iptables_get_chains();
-- 
1.7.10.4

More information about the pve-devel mailing list