ip_conntrack_max?

Sun, 23 Dec 2001 03:06:02 -0500

Hi, I have the same question.... but what happends if you try with kernel 
2.4.16 + iptables 1.2.4 (with patc-o-matic or most-of-pom) ? 

Im not a guru, but if you dont have answers try it and then send a comment 
about the problem, if this persist or not.

Best regards,
Geffrey

El Dom 23 Dic 2001 02:16, Raj escribió:
> HI all!
>
> I am in kind of a desperate situation here...I have not got any responses
> so far to my last mail. My ip_conntrack has grown to ~11000 now and soon
> will reach ip_conntrack_max value of 16312. I will not have any choice but
> to  reboot the machine to bring it back to normalcy...and make it work for
> a week or so before reaching max again.
> This has been _very_ unacceptable to me and _not_ at all serving the
> purpose...a _very_ serious limitation!
>
> Could any iptables-GURU out there enlighten me as to how to keep the
> ip_conntrack at bay...am I missing out on any parameter in my setup?
>
> Some more ?
>
> >How come the iptables_filter shows "unused" below as per "lsmod"?
> >
> >"lsmod" also shows that ip_conntrack_ftp is not loaded...how do load
>
>  it...if required?
>
> ----------
> # procinfo
> Memory:  Total Used Free Shared Buffers Cached Mem:
> 254092 67884 186208 0 38176 14168 Swap:  240932 0 240932
>
> # grep conn /proc/slabinfo
> ip_conntrack       11293  11790    368 1147 1179    1
>
> # cat /proc/net/ip_conntrack | wc -l
>   10744
>
> # lsmod
> Module                  Size  Used by
> 8139too                12832   2
> ipt_state               1024   3  (autoclean)
> ip_conntrack           15984   1  (autoclean) [ipt_state]
> iptable_filter          2128   0  (autoclean) (unused)
> ip_tables              10976   2  [ipt_state iptable_filter]
> usb-uhci               20736   0  (unused)
> usbcore                49920   1  [usb-uhci]
> ext3                   59792   2
> jbd                    39040   2  [ext3]
>
> On Fri, 21 Dec 2001, Raj wrote:
> > Season's Greetings to ALL!
> >
> > Hi, I just noticed on my (RH 7.2/2.4.9-12 & Iptables 1.2.4) box that
> > ip_conntrack keeps on increasing exponentially. I mean it never decreases
> > as time goes by...or even stay around some value. I had set
> > ip_conntrack_max at 8192 though I have 256 MB RAM (It defaults to 16312).
> >
> > It reaches that value after ~4 days of operation and today is the 4th day
> >
> > :) I had read in the FAQ that 128 MB RAM can handle 8192 conns, however
> > : it
> >
> > is reaching 8192 at 65 MB mem usage. It then started dropping packets and
> > had to increment ip_conntrack_max to avoid this. I have around 20 servers
> > behind the FW box generating ~1.5 Mbps traffic. I feel that the
> > ip_conntrack value is unjustifiably reaching the max for the volume of
> > traffic. Maybe the conn_track entries are loitering around for too long
> > (not expiring) and thus reaching the max value too soon.
> >
> > Btw, I had this mem leak problem as I had published in the list and it
> > seems to have been solved after I upgraded my kernel to 2.4.9-13 from
> > 2.4.7-10 (defualt on RH7.2).
> >
> > Any thoughts on how do maintain the ip_conntrack value (as shown below)
> > at bay...reduce the expire (TTL) of the entries maybe...
> >
> > I have a serious problem as this is not at reliable if I have to go on
> > increasing the value once it reaches the current max...as mentioned in
> > the FAQ 3.6, I can only go upto 16132 for 256 MB RAM I guess.
> >
> > Cheers!
> > Raj
> >
> > -------------------------
> > #grep conn /proc/slabinfo
> > ip_conntrack        9180   9290    368  929  929    1
> >
> > #cat /proc/net/ip_conntrack | wc -l
> >   8783
> >
> > #procinfo
> > Memory:   Total    Used      Free    Shared   Buffers   Cached
> > Mem:     254092    65684    188408         0     38108    13608
> > Swap:    240932        0    240932