-   Linux - Networking (
-   -   Connection Destroy Time with Net Filter Connection Tracking (

Washington Ratso 05-13-2011 05:14 PM

Connection Destroy Time with Net Filter Connection Tracking
When I have video running and the video stops, I see that the connection is destroyed in about 5 seconds, which is what I want.

If, rather than stopping the video, I pull the plug, I have seen it take 350 and 380 seconds before the connection is destroyed.

Why is there such a large difference in the time to destroy a video connection between stopping the video and pulling the plug on it when using net filter connection tracking? How can I shorten the time for the connection to get destroyed when pulling the plug?

acid_kewpie 05-14-2011 10:18 AM

Well there's a handshake to close the connection when it stops gracefully, but not if you pull the plug. ripping out conntrack entries after 5 seconds is pretty drastic, really wouldn't recommend that, maybe 30 seconds. You can shorten it using net.netfilter.nf_conntrack_tcp_timeout_established=30 in /etc/sysctl.conf (parameters can change - run "systcl -a | grep conntrack" for all conntrack parameters.

Washington Ratso 05-15-2011 01:58 PM

Connection Destroy Time with Net Filter Connection Tracking
What is the reason to wait 30 seconds to rip out a conntrack entry? I am using my conntrack entries to create and remove traffic control priority queues to implement QoS. I have a finite number of priority queues I can have at any point in time. So, I want to destroy connections ASAP, because, if there is another high priority connection not assigned to a queue, I want it to be assigned to the queue sooner, rather than later.

acid_kewpie 05-15-2011 02:51 PM

how many working connections are you expecting to go awol?? You'd be MUCH more concerned about time wait state connections as they will just routinely sit around for an arbitrary period after EVERY connection finishes, not just ones where some kids mum walked into his bedroom halfway through him doing something he shouldn't. Don't take actions like this for exceptions, configure for normal activity. In general a connection has the right to not transmit for 5 seconds, it's really not long. If you can't manage 30 seconds, then you have bigger problems to worry about, like a totally unwell network.

All times are GMT -5. The time now is 11:15 PM.