Connection Destroy Time with Net Filter Connection Tracking
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Connection Destroy Time with Net Filter Connection Tracking
When I have video running and the video stops, I see that the connection is destroyed in about 5 seconds, which is what I want.
If, rather than stopping the video, I pull the plug, I have seen it take 350 and 380 seconds before the connection is destroyed.
Why is there such a large difference in the time to destroy a video connection between stopping the video and pulling the plug on it when using net filter connection tracking? How can I shorten the time for the connection to get destroyed when pulling the plug?
Well there's a handshake to close the connection when it stops gracefully, but not if you pull the plug. ripping out conntrack entries after 5 seconds is pretty drastic, really wouldn't recommend that, maybe 30 seconds. You can shorten it using net.netfilter.nf_conntrack_tcp_timeout_established=30 in /etc/sysctl.conf (parameters can change - run "systcl -a | grep conntrack" for all conntrack parameters.
Connection Destroy Time with Net Filter Connection Tracking
What is the reason to wait 30 seconds to rip out a conntrack entry? I am using my conntrack entries to create and remove traffic control priority queues to implement QoS. I have a finite number of priority queues I can have at any point in time. So, I want to destroy connections ASAP, because, if there is another high priority connection not assigned to a queue, I want it to be assigned to the queue sooner, rather than later.
how many working connections are you expecting to go awol?? You'd be MUCH more concerned about time wait state connections as they will just routinely sit around for an arbitrary period after EVERY connection finishes, not just ones where some kids mum walked into his bedroom halfway through him doing something he shouldn't. Don't take actions like this for exceptions, configure for normal activity. In general a connection has the right to not transmit for 5 seconds, it's really not long. If you can't manage 30 seconds, then you have bigger problems to worry about, like a totally unwell network.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.