summaryrefslogtreecommitdiff
path: root/docs/configuration/system
diff options
context:
space:
mode:
authorNicolás Fort <95703796+nicolas-fort@users.noreply.github.com>2022-12-19 16:32:10 -0300
committerGitHub <noreply@github.com>2022-12-19 20:32:10 +0100
commitaade883e244075b3ac6678b64c9da7929e74192a (patch)
treede83a1fb071bdb62ff493c78d9dcfca9f067b4c5 /docs/configuration/system
parent1e0e927e97257a93f02713eee6de32a629f6382a (diff)
downloadvyos-documentation-aade883e244075b3ac6678b64c9da7929e74192a.tar.gz
vyos-documentation-aade883e244075b3ac6678b64c9da7929e74192a.zip
Conntrack: update docs with all conntrack commands supported so far. (#905)
Diffstat (limited to 'docs/configuration/system')
-rw-r--r--docs/configuration/system/conntrack.rst137
1 files changed, 117 insertions, 20 deletions
diff --git a/docs/configuration/system/conntrack.rst b/docs/configuration/system/conntrack.rst
index 7f7e4b77..0fe0d575 100644
--- a/docs/configuration/system/conntrack.rst
+++ b/docs/configuration/system/conntrack.rst
@@ -2,32 +2,129 @@
Connection tracking
###################
+VyOS can be configured to track connections using the connection
+tracking subsystem. Connection tracking becomes operational once either
+stateful firewall or NAT is configured.
+
+Conntrack Table
+---------------
+
+.. cfgcmd:: set system conntrack table-size <1-50000000>
+ :defaultvalue:
+
+ The connection tracking table contains one entry for each connection being
+ tracked by the system.
+
+.. cfgcmd:: set system conntrack expect-table-size <1-50000000>
+ :defaultvalue:
+
+ The connection tracking expect table contains one entry for each expected
+ connection related to an existing connection. These are generally used by
+ “connection tracking helper” modules such as FTP.
+ The default size of the expect table is 2048 entries.
+
+.. cfgcmd:: set system conntrack hash-size <1-50000000>
+ :defaultvalue:
+
+ Set the size of the hash table. The connection tracking hash table makes
+ searching the connection tracking table faster. The hash table uses
+ “buckets” to record entries in the connection tracking table.
+
+
Modules
-------
-.. code-block:: none
+Enables ``conntrack`` modules. All modules are enable by default.
+
+.. cfgcmd:: set system conntrack modules ftp
+.. cfgcmd:: set system conntrack modules h323
+.. cfgcmd:: set system conntrack modules nfs
+.. cfgcmd:: set system conntrack modules pptp
+.. cfgcmd:: set system conntrack modules sip
+.. cfgcmd:: set system conntrack modules sqlnet
+.. cfgcmd:: set system conntrack modules tftp
+
+Use ``delete system conntrack modules`` to deactive all modules.
+Or, for example ftp, ``delete system conntrack modules ftp``.
+
+
+Define Connection Timeouts
+--------------------------
+
+VyOS supports setting timeouts for connections according to the
+connection type. You can set timeout values for generic connections, for ICMP
+connections, UDP connections, or for TCP connections in a number of different
+states.
+
+.. cfgcmd:: set system conntrack timeout icmp <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout other <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp close <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp close-wait <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp established <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp fin-wait <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp last-ack <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp syn-recv <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp syn-sent <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout tcp time-wait <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout udp other <1-21474836>
+ :defaultvalue:
+.. cfgcmd:: set system conntrack timeout udp stream <1-21474836>
+ :defaultvalue:
+
+ Set the timeout in secounds for a protocol or state.
+
+
+You can also define custom timeout values to apply to a specific subset of
+connections, based on a packet and flow selector. To do this, you need to
+create a rule defining the packet and flow selector.
- conntrack {
- modules {
- ftp
- h323
- nfs
- pptp
- sip
- sqlnet
- tftp
- }
- }
+.. cfgcmd:: set system conntrack timeout custom rule <1-999999>
+ description <test>
+.. cfgcmd:: set system conntrack timeout custom rule <1-999999>
+ destination address <ip-address>
+.. cfgcmd:: set system conntrack timeout custom rule <1-999999>
+ destination port <value>
+.. cfgcmd:: set system conntrack timeout custom rule <1-999999>
+ inbound-interface <interface>
+.. cfgcmd:: set system conntrack timeout custom rule <1-999999>
+ source address <ip-address>
+.. cfgcmd:: set system conntrack timeout custom rule <1-999999>
+ source port <value>
+.. cfgcmd:: set system conntrack timeout custom rule <1-999999>
+ protocol <protocol>
-Enables ``conntrack`` modules. All modules are now disabled by default, while they
-used to be enabled in previous versions. Enabling the modules ensures backwards
-compatibility — keeping the previous behavior.
+ Configure customized timeout rules for selective connection tracking.
-In most cases they can be disabled by removing the block of configuration.
+Conntrack Ignore
+----------------
-.. code-block:: none
+Customized ignore rules, based on a packet and flow selector, can be
+configured in VyOS. To do this, you can configure as much rules as
+needed using next commands:
- delete system conntrack modules
+.. cfgcmd:: set system conntrack ignore rule <1-999999>
+ description <text>
+.. cfgcmd:: set system conntrack ignore rule <1-999999>
+ destination address <ip-address>
+.. cfgcmd:: set system conntrack ignore rule <1-999999>
+ destination port <port>
+.. cfgcmd:: set system conntrack ignore rule <1-999999>
+ inbound-interface <interface>
+.. cfgcmd:: set system conntrack ignore rule <1-999999>
+ protocol <protocol>
+.. cfgcmd:: set system conntrack ignore rule <1-999999>
+ source address <ip-address>
+.. cfgcmd:: set system conntrack ignore rule <1-999999>
+ source port <port>
-For some scenarios it is in fact recommended, like in this example:
-:ref:`example-high-availability`.
+ Configure customized ignore rules for selective connection tracking.