ME TOO: ip_conntrack / available memory = cRaSh
Sun, 2 Dec 2001 15:05:34 +0545 (NPT)
Thanks for the info, Felipe. But I see that I should have had tons of
free memory left as 8192 conns x 350 bytes = 2867200 bytes (~3 MB) right!
How come the FAQ 3.6 on the netfilter site states, I mean how has the
calculation been done?
...64MB: 4096, 128MB: 8192...at 350 bytes/tracked connections!
Whereas when the system starts dropping packets most of my non-swappable
mem is used up and this happens ~4/5 days after the last reboot.
I have now increased my physical mem to 256 MB from 128 MB. After the
upgrade I noticed that the ip_conntrackmax was automatically increased to
16312 and I manually reduced it to 8192 though.
Right now, the stats are as follows after 2 days since last reboot:
#grep conntrack /proc/slabinfo
ip_conntrack 5012 5700 384 550 570 1
#cat /proc/net/ip_conntrack | wc -l
Could anyone please enlighten me on the relation between the above two
results. Are they related in any way?
Memory: Total Used Free Shared Buffers Cached
Mem: 254468 46664 207804 0 14824 12192
Swap: 240932 0 240932
I feel that my ip_conntrack database is showing a lot more than my actual
connections as I do not think there exists so many connections even at
peak times (traffic is 1.5 Mbps). OR maybe it is keeping the connection
info for too long...stale info not expiring.
Is there a way to set the expire time?
Or I am getting DOSed all the time :) which I don't think is possible.
So, what may have been the cause for consuming so much memory that
resulted in serious packet drops?
I would like to know how much mem do the systems that handle >10,000
connections with >50 mbps traffic...like our friend Juri Haberland.
What are your ip_conntrack_max settings and readings?
On Fri, 30 Nov 2001, Felipe Gustavo de Almeida wrote:
> Mailing list writes:
> > [...]
> > I noticed that the physical memory was used up completely when the packet
> > loss occurs and no swap used at all.
> As noted in netfilter FAQ, section item 3.6
> "... each tracked connection eats about 350 bytes of non-swappable kernel
> note the 'NON-SWAPPABLE'
> > I have gone thru the archive and found out many issues regarding the
> > ip_conntrack limit and the performance.
> > The box serves very well at other times.
> > Could any iptables guru enlighten me as to what can be done to solve this
> > VERY critical problem of mine.
> > Thanks in advance,
> > Raj
> > Current system info:
> > ----------------------------------------------
> > cat /proc/sys/net/ipv4/ip_conntrack_max : 8192
> > grep conntrack /proc/slabinfo :
> > ip_conntrack 3777 4110 384 400 411 1
> > top :
> > CPU states: 0.1% user, 2.1% system, 0.0% nice, 97.6% idle
> > Mem: 125580K av, 75160K used, 50420K free, 0K shrd, 23200K
> > buff
> > Swap: 240932K av, 0K used, 240932K free 13884K
> > cached