Ip_conntrack enhancement idea
Wilson, Richard E
richard.wilson at eds.com
Wed Oct 18 00:15:07 CEST 2006
Thanks, I've been trying to find out more information on NOTRACK -- do you know what kernel revision it came with?
From: Eric Leblond [mailto:eric at inl.fr]
Sent: Tuesday, October 17, 2006 3:08 PM
To: Wilson, Richard E
Cc: netfilter at lists.netfilter.org
Subject: Re: Ip_conntrack enhancement idea
Le mardi 17 octobre 2006 à 16:46 -0500, Wilson, Richard E a écrit :
> I am having some issues with servers that run caching DNS and iptables
> -- the ip_conntrack table overflows resulting in dropped packets. I am
> wondering what the value is in tracking connections whose source and
> destination are both 127.0.0.1 -- would it be possible to flag such
> packets so that no ip_conntrack table entry gets created for them at
> all? For my servers this can represent a third of the total tracked
> connections (ip_conntrack_max is set at 65536 on systems with 2GB of
As I said in a previous mail you can really increase this value. The
default setting of conntrack size is computed to firewalling server and
it has to be increased to be used on server used as gateway.
> I know this can be addressed other ways -- I am working to get the
> server upgraded from its current kernel (2.4.21) to something newer so
> that I can change the default ip_conntrack timeout value (I don't really
> want to increase the ip_conntrack_max), but thought I should bring this
> up. Perhaps in other situations it's desirable to track localhost
> connections, but I can't think of a good reason why.
You can use the NOTRACK target to do so.
> Richard Wilson
> richard dot wilson at eds dot com
More information about the netfilter