Revisiting ip_conntrack: table full, dropping packet
Nigel Morse
N.Morse@hyperknowledge.com
Tue, 14 Aug 2001 16:39:11 +0100
Surely your only solution is to increase the maximum? (BTW allocating 8192
by doing an echo 8912 > /proc/sys/net/ipv4/ip_conntrac_max allocates 8192
connections, not bytes)
Is the firewall just for connections going from the inside out? coz for 105
machines, 8192/105 = average 78 connections per machine!! this is a lot of
connections - and any that aren't established get dropped first. I find
this fairly hard to belive - given that most of the connections I see are
web, and these are fairly short lived (open, get page etc, close)
If you have the firewall from internal lan to internal lan and outside then
this may explain it. However if you are hitting the limit, then it's time
to go buy more RAM i'm affraid.
> -----Original Message-----
> From: Gino Ledesma [mailto:gino@cersa.admu.edu.ph]
> Sent: 14 August 2001 16:14
> To: netfilter@lists.samba.org
> Subject: Revisiting ip_conntrack: table full, dropping packet
>
>
> Hi, again
>
> Its me with the same problem with iptables as usual. Right now,
> one router is SNATting roughly 105 clients for Internet
> access and we've
> allocated 8192 bytes of RAM to ip_conntrack_max, but we're
> quickly filling
> it up in just a day or two.
>
> I asked this before and still haven't been able to come
> up with a
> solution that fixes this.
>
> Is there a way for me to clear the
> /proc/net/ip_conntrack tracked
> connections? Several packets are being dropped after the
> limit is reached
> and our connections drop out right.
>
> Anyone have a tip? Any tips are greatly appreciated. :)
>
> --------------------------------------
> Gino LV. Ledesma
> Ateneo Cervini-Eliazo Networks (ACENT)
> email : gino@cersa.admu.edu.ph
> web : http://cersa.admu.edu.ph/
> phone : (63)(2) 426-6001 ext. 5925
>
>