ip_conntrack_max?

Patrick Schaaf bof@bof.de
Fri, 28 Dec 2001 17:23:18 +0100 

> > The timeouts are in net/ipv4/netfilter/ip_conntrack_proto_tcp.c.
> > If you have compiled in the ipfilter-based conntracking code
> > from patch-o-matic, the timeouts can be configured through entries
> > under /proc/sys/net/ipvt/netfilter/. Otherwise, you have to
> 
> I have a number of related files under it and among them is:
> ip_ct_tcp_timeout_established with a value of 1800000.

So you selected the ipfilter-based stuff from patch-o-matic. Good.

To cite a famous Formula 1 driver from Finland (during his appearance
in German TV advertisements:) This is the future!

Jozsef Kadlecsik will certainly answer any questions on that part,
after the holiday season appropriate for his local customs :-)

> The value should have been 18000 secs (5hrs), right!

(looking at the source...)

> How come I have two extra 0s in there? Is it set in millisecs?

Yep. To be precise, it is in units of "HZ", which is the kernel
timer tick period. The usual x86 setup has HZ=100, i.e. 10ms,
i.e. to convert to seconds, divide by 100.

Ugly. Really Ugly. Jozsef, any chance that we may have the interface
use "seconds" as the unit? And damn the current "installed base",
this is patch-o-matic stuff!

> > modify the source (see the tcp_timeouts[] array - it's obvious).
> > Whether you need to recompile a module, or the kernel,
> 
> Yes, it is selected as M ... meaning I need to recompile that module only.
> Won't just changing the value in the file bring the new value into effect?

If you have the /proc/sys/net/ipv4/netfilter/ip_ct stuff, the chance
should indeed be instantaneous.

> Like setting the ip_conntrack_max value...

Exactly.

> Lastly, do I need to do "make modules && modules_install" or is there a
> way to recompile that ONE module only? as this would same me valuable
> time...

With the current general kernel compilation setup, there is no way
to build and install individual modules. The ability to do so,
is entering in the current Linux 2.5 development effort, just
about any month now. See the linux-kernel mailing list, with an
eye on the topic of "kbuild 2.5".

best regards
  Patrick