Sun, 23 Dec 2001 03:06:02 -0500
Hi, I have the same question.... but what happends if you try with kernel
2.4.16 + iptables 1.2.4 (with patc-o-matic or most-of-pom) ?
Im not a guru, but if you dont have answers try it and then send a comment
about the problem, if this persist or not.
El Dom 23 Dic 2001 02:16, Raj escribió:
> HI all!
> I am in kind of a desperate situation here...I have not got any responses
> so far to my last mail. My ip_conntrack has grown to ~11000 now and soon
> will reach ip_conntrack_max value of 16312. I will not have any choice but
> to reboot the machine to bring it back to normalcy...and make it work for
> a week or so before reaching max again.
> This has been _very_ unacceptable to me and _not_ at all serving the
> purpose...a _very_ serious limitation!
> Could any iptables-GURU out there enlighten me as to how to keep the
> ip_conntrack at bay...am I missing out on any parameter in my setup?
> Some more ?
> >How come the iptables_filter shows "unused" below as per "lsmod"?
> >"lsmod" also shows that ip_conntrack_ftp is not loaded...how do load
> it...if required?
> # procinfo
> Memory: Total Used Free Shared Buffers Cached Mem:
> 254092 67884 186208 0 38176 14168 Swap: 240932 0 240932
> # grep conn /proc/slabinfo
> ip_conntrack 11293 11790 368 1147 1179 1
> # cat /proc/net/ip_conntrack | wc -l
> # lsmod
> Module Size Used by
> 8139too 12832 2
> ipt_state 1024 3 (autoclean)
> ip_conntrack 15984 1 (autoclean) [ipt_state]
> iptable_filter 2128 0 (autoclean) (unused)
> ip_tables 10976 2 [ipt_state iptable_filter]
> usb-uhci 20736 0 (unused)
> usbcore 49920 1 [usb-uhci]
> ext3 59792 2
> jbd 39040 2 [ext3]
> On Fri, 21 Dec 2001, Raj wrote:
> > Season's Greetings to ALL!
> > Hi, I just noticed on my (RH 7.2/2.4.9-12 & Iptables 1.2.4) box that
> > ip_conntrack keeps on increasing exponentially. I mean it never decreases
> > as time goes by...or even stay around some value. I had set
> > ip_conntrack_max at 8192 though I have 256 MB RAM (It defaults to 16312).
> > It reaches that value after ~4 days of operation and today is the 4th day
> > :) I had read in the FAQ that 128 MB RAM can handle 8192 conns, however
> > : it
> > is reaching 8192 at 65 MB mem usage. It then started dropping packets and
> > had to increment ip_conntrack_max to avoid this. I have around 20 servers
> > behind the FW box generating ~1.5 Mbps traffic. I feel that the
> > ip_conntrack value is unjustifiably reaching the max for the volume of
> > traffic. Maybe the conn_track entries are loitering around for too long
> > (not expiring) and thus reaching the max value too soon.
> > Btw, I had this mem leak problem as I had published in the list and it
> > seems to have been solved after I upgraded my kernel to 2.4.9-13 from
> > 2.4.7-10 (defualt on RH7.2).
> > Any thoughts on how do maintain the ip_conntrack value (as shown below)
> > at bay...reduce the expire (TTL) of the entries maybe...
> > I have a serious problem as this is not at reliable if I have to go on
> > increasing the value once it reaches the current max...as mentioned in
> > the FAQ 3.6, I can only go upto 16132 for 256 MB RAM I guess.
> > Cheers!
> > Raj
> > -------------------------
> > #grep conn /proc/slabinfo
> > ip_conntrack 9180 9290 368 929 929 1
> > #cat /proc/net/ip_conntrack | wc -l
> > 8783
> > #procinfo
> > Memory: Total Used Free Shared Buffers Cached
> > Mem: 254092 65684 188408 0 38108 13608
> > Swap: 240932 0 240932