kernel: ip_conntrack: maximum limit of 8128 entries exceeded
Ray
ray@ops.selu.edu
Mon, 2 Jul 2001 10:21:33 -0500 (CDT)
On Mon, 2 Jul 2001, Thomas Lussnig wrote:
> Increase the amount of trackable connections:
>
> echo 65536 >/proc/sys/net/ipv4/ip_conntrack_max
>
>
> You should be careful with this, though, because every tracked connection
> consumes a certain amount of non-swapable physical memory. So if you don't have
> enough RAM in your machine, this won't do any good. I don't know exactly how
> much memory this takes, search the archives or ask someone else if you need
> to know it. Anyway, if you track that much connections on your firewall, it
> would probably be a really good idea to put a lot of RAM in it.
The netfilter faq, section 3.6, says this number is 500 Bytes per
connection. Unless my math is completely wrong, this means about 2,000
connections per megabyte.
With 64 megs of ram, minus memory for the kernel and essential daemons,
you could track over 100,000 connections. This is all going strictly by
the math though...i wouldn't try such a thing. But if so, where does the
500 bytes number come from, and why is ip_conntrack_max set so
conservatively?
-Ray
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Ray DeJean http://www.r-a-y.org
Systems Administrator Southeastern Louisiana University
IBM Certified Specialist AIX Administration, AIX Support
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=