doc: update ct timeout section with the state names

docs are too terse and did not have the list of valid timeout states.
While at it, adjust default stream timeout of udp to 120, this is the
current kernel default.

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/doc/stateful-objects.txt b/doc/stateful-objects.txt
index 4972969eb250efe11819a1ba7b2b61cd3b778123..e3c79220811ff8a9905221ffcf0099d5612834a6 100644 (file)
--- a/doc/stateful-objects.txt
+++ b/doc/stateful-objects.txt
@@ -77,6 +77,17 @@ per ct timeout comment field |
 string
 |=================
 
+tcp connection state names that can have a specific timeout value are:
+
+'close', 'close_wait', 'established', 'fin_wait', 'last_ack', 'retrans', 'syn_recv', 'syn_sent', 'time_wait' and 'unack'.
+
+You can use 'sysctl -a |grep net.netfilter.nf_conntrack_tcp_timeout_' to view and change the system-wide defaults.
+'ct timeout' allows for flow-specific settings, without changing the global timeouts.
+
+For example, tcp port 53 could have much lower settings than other traffic.
+
+udp state names that can have a specific timeout value are 'replied' and 'unreplied'.
+
 .defining and assigning ct timeout policy
 ----------------------------------
 table ip filter {

diff --git a/src/rule.c b/src/rule.c
index c7bc6bcf34967ec9c39f81a45a874f80c7c67936..b1700c40079dcd7e8899d61cca2d64cebc33fb53 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -72,7 +72,7 @@ static uint32_t tcp_dflt_timeout[] = {
 
 static uint32_t udp_dflt_timeout[] = {
        [NFTNL_CTTIMEOUT_UDP_UNREPLIED]         = 30,
-       [NFTNL_CTTIMEOUT_UDP_REPLIED]           = 180,
+       [NFTNL_CTTIMEOUT_UDP_REPLIED]           = 120,
 };
 
 struct timeout_protocol timeout_protocol[IPPROTO_MAX] = {