Page MenuHomeVyOS Platform
Create Task
Maniphest T6266

Firewall flowtable ability to set timeout for TCP and UDP flow
Open, WishlistPublicFEATURE REQUEST
Actions

Description

The flowtables mechanism has a timeout for each flow, like the connection tracking system.
If it expires (=if no packets are seen for NF_FLOW_TIMEOUT (30) seconds, which is the default timeout value), a garbage collector removes that entry from the flowable.
Thus, the remaining packets are thereby thrown back to the classic forwarding path and to connection tracking, which then re-starts its own timeout mechanism.

You can change the timeout individually for TCP and for UDP protocol by using one of the following sysctl's, which effectively change the used timeout for all offloaded flows in the current network namespace:

vyos@r4# sudo sysctl -a -r nf_flowtable
net.netfilter.nf_flowtable_tcp_timeout = 30
net.netfilter.nf_flowtable_udp_timeout = 30
[edit]
vyos@r4#

Needs to think about the CLI option. It is a tag node now:

vyos@r4# set firewall flowtable 
Possible completions:
 > <text>               Flowtable
 >

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

Viacheslav triaged this task as Wishlist priority.Thu, Apr 25, 12:11 PM
Viacheslav created this task.
sarthurdev added a subscriber: sarthurdev.Thu, Apr 25, 2:03 PM

Possibly would make sense for CLI to fall under firewall global-options?

pasik added a subscriber: pasik.Thu, Apr 25, 3:22 PM
Viacheslav added a subscriber: n.fort.Thu, Apr 25, 5:07 PM
In T6266#184977, @sarthurdev wrote:

Possibly would make sense for CLI to fall under firewall global-options?

@sarthurdev It makes sense! @n.fort also point me to use the "global-options"
In summary I guess it should be like this:

set firewall global-options flowtable timeout <tcp|udp> xxx