ip_conntrack_max vs ip_conntrack

Mohamed Eldesoky eldesoky.lists at gmail.com
Tue Sep 28 09:59:37 CEST 2004


But still,
The /proc/net/ip_conntrack should contain all connections tracked by
that firewall (ie, passing through the firewall), am I right ??


On Sat, 25 Sep 2004 00:34:58 +0200, Michal Ludvig <mludvig at suse.cz> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi all,
> 
> could someone please explain me what is the relation between the number
> in /proc/sys/net/ipv4/ip_conntrack_max and number of lines in
> /proc/net/ip_conntrack?
> 
> On one of our very loaded firewalls (with 1GB RAM) we are still getting
> "ip_conntrack: table full, dropping packet." message. We tried to tweak
> all different parameters, e.g. hashsize to up to 1048576,
> ip_conntrack_max, ip_conntrack_tcp_timeout_established, etc.
> Unfortunately sooner or later the kernel always starts dropping packets.
> At the same time however there are at most a few thousands of lines in
> /proc/net/ip_conntrack.
> 
> I instrumented the kernel to dump the same output via printk() once
> ip_conntrack_count reaches ip_conntrack_max. When I set _max=128 and run
> nmap through the firewall it of course very soon prints the "dropping
> packets" message, but along with only 6 (=six!) lines of connections.
> Where was the rest, 122 connections, lost? What does the
> ip_conntrack_count actually count?
> 
> Thanks in advance!
> 
> Michal Ludvig
> - --
> SUSE Labs                    mludvig at suse.cz
> (+420) 296.545.373        http://www.suse.cz
> Personal homepage http://www.logix.cz/michal
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFBVKEQDDolCcRbIhgRAupGAKCF4F6Mvk0YARZMj5S21vI/95u71ACfWDn2
> UVB5lEV0YC58et/rvFbJEEY=
> =AryG
> -----END PGP SIGNATURE-----
> 
> 



-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE



More information about the netfilter mailing list