Configuration of conntrackd PurgeTimeout at the vbash level
Open, Requires assessmentPublicFEATURE REQUEST
Actions

Assigned To

None

Authored By

	c.faria
	Fri, Jan 16, 8:01 PM

Description

There is no documented or supported option in VyOS to tune internal conntrackd SYNC timers such as PurgeTimeout.
In VRRP-based stateful firewall scenarios, this means VRRP timing must be aligned with conntrackd behavior. Since conntrackd purges synchronized states after 60 seconds by default, the VRRP preempt-delay must be configured to ≥ 60 seconds to ensure that mastership is restored before the conntrack state is purged.

https://manpages.debian.org/testing/conntrackd/conntrackd.conf.5.en.html#SYNC

Sync {
	Mode FTFW {
		ResendQueueSize 131072
		PurgeTimeout 60
		ACKWindowSize 300
		DisableExternalCache no
	}

Details

Version: -
Is it a breaking change?: Behavior change
Issue type: Feature (new functionality)

Event Timeline

c.faria created this task.Fri, Jan 16, 8:01 PM

pasik subscribed.Fri, Jan 16, 9:41 PM

Configuration of conntrackd PurgeTimeout at the vbash levelOpen, Requires assessmentPublicFEATURE REQUESTActions

Description

Details

Event Timeline

Configuration of conntrackd PurgeTimeout at the vbash level
Open, Requires assessmentPublicFEATURE REQUEST
Actions