Problems with /proc/net/ip_conntrack
Harald Welte
laforge@gnumonks.org
Sat, 12 Jan 2002 22:23:07 +0100
On Fri, Jan 11, 2002 at 04:06:10PM +0100, netfilter-users@lists.ser.net wrote:
> Hello,
>
> we use iptables + connection tracking on one of our routers. Why is the
> timeout of the connection is set to 5 days even if there is no replay packet
> from the destination? If I increase the ip_conntrack_max to 36384, than there
> are about 34000 "UNREPLIED" connections. Perhaps somebody can give me an
> explination.
we insert them with a 5 day timeout, because we have free entries in the
conntrack table which are otherwise unused.
as soon as we run out of conntrack entries, we look for UNREPLIED entries
and delete them.
> Greats
> Oliver
--
Live long and prosper
- Harald Welte / laforge@gnumonks.org http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M-
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)