Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Page MenuHomeVyOS Platform
Create Task
Maniphest T6266

Firewall flowtable ability to set timeout for TCP and UDP flow
Open, WishlistPublicFEATURE REQUEST
Actions

Description

The flowtables mechanism has a timeout for each flow, like the connection tracking system.
If it expires (=if no packets are seen for NF_FLOW_TIMEOUT (30) seconds, which is the default timeout value), a garbage collector removes that entry from the flowable.
Thus, the remaining packets are thereby thrown back to the classic forwarding path and to connection tracking, which then re-starts its own timeout mechanism.

You can change the timeout individually for TCP and for UDP protocol by using one of the following sysctl's, which effectively change the used timeout for all offloaded flows in the current network namespace:

vyos@r4# sudo sysctl -a -r nf_flowtable
net.netfilter.nf_flowtable_tcp_timeout = 30
net.netfilter.nf_flowtable_udp_timeout = 30
[edit]
vyos@r4#

Needs to think about the CLI option. It is a tag node now:

vyos@r4# set firewall flowtable 
Possible completions:
 > <text>               Flowtable
 >

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

Viacheslav created this task.Apr 25 2024, 12:11 PM
Viacheslav triaged this task as Wishlist priority.
sarthurdev subscribed.Apr 25 2024, 2:03 PM

Possibly would make sense for CLI to fall under firewall global-options?

pasik subscribed.Apr 25 2024, 3:22 PM
Viacheslav added a subscriber: n.fort.Apr 25 2024, 5:07 PM
In T6266#184977, @sarthurdev wrote:

Possibly would make sense for CLI to fall under firewall global-options?

@sarthurdev It makes sense! @n.fort also point me to use the "global-options"
In summary I guess it should be like this:

set firewall global-options flowtable timeout <tcp|udp> xxx
n.fort added a comment.Jun 24 2024, 11:07 AM

Now we have:

vyos@vyos# set firewall global-options timeout tcp 
Possible completions:
   close                TCP CLOSE timeout in seconds (default: 10)
   close-wait           TCP CLOSE-WAIT timeout in seconds (default: 60)
   established          TCP ESTABLISHED timeout in seconds (default: 432000)
   fin-wait             TCP FIN-WAIT timeout in seconds (default: 120)
   last-ack             TCP LAST-ACK timeout in seconds (default: 30)
   syn-recv             TCP SYN-RECEIVED timeout in seconds (default: 60)
   syn-sent             TCP SYN-SENT timeout in seconds (default: 120)
   time-wait            TCP TIME-WAIT timeout in seconds (default: 120)

      
[edit]
vyos@vyos# set firewall global-options timeout udp 
Possible completions:
   other                UDP generic timeout in seconds (default: 30)
   stream               UDP stream timeout in seconds (default: 180)

      
[edit]
vyos@vyos# set firewall global-options timeout udp

Shall we include this new timeout in this section?
Or, as stated before, create a new specific node for flowtables:

set firewall global-options flowtable timeout <tcp | udp> xxx
n.fort claimed this task.Jun 24 2024, 11:07 AM
vyosbot removed n.fort as the assignee of this task.Oct 14 2024, 8:17 AM
syncer edited projects, added VyOS Rolling; removed VyOS 1.5 Circinus.Nov 1 2024, 3:44 PM
syncer moved this task from Need Triage to Backlog - Feature Requests on the VyOS Rolling board.
syncer added a subscriber: Global Notifications.Nov 1 2024, 9:19 PM