Nftables: a new packet filtering engine
Nftables: a new packet filtering engine
Posted Mar 25, 2009 10:50 UTC (Wed) by herge (guest, #57423)In reply to: Nftables: a new packet filtering engine by dlang
Parent article: Nftables: a new packet filtering engine
where does it match TIME_WAIT by default?
# cat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait
120
# cat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait
120
Once a connection has reached the TIME_WAIT state, it will be kept in the connection table for 120s.
While it can be tuned down, thei behavior should be dropped IMHO.