From: Filip Sneppe <filip.sneppe@cronos.be>
To: Christian Hammers <ch@westend.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: /proc/net/ip_conntrack filling without ipt_conntrack.o loaded?
Date: 14 Jan 2003 17:58:52 +0100 [thread overview]
Message-ID: <1042563532.465.1024.camel@xbox> (raw)
In-Reply-To: <20030114163734.GB19620@westend.com>
On Tue, 2003-01-14 at 17:37, Christian Hammers wrote:
> Kernel-2.4.20. modprobe-2.4.15. Debian 3.0 woody distribution.
>
> > Is this reproducable upon every reboot ?
> I'm not allowed to reboot it :-) But it's still reproducible that
> after decreasing with about 1000 per minute the value of
> /proc/net/ip_conntrack has now stabilized around the
> /proc/sys/net/ipv4/ipt_conntrack_max value which is currently 10000
> (was 65520 and filled up to ca. 50000)
Since you haven't rebooted it, you will continue to have this
problem as basically your running kernel+ip_conntrack is
basically screwed until you reboot the box.
> Hmm :)
> Maybe you should set your machine unter a load of at least 4mbit/s
> with random IPs. This was the amount of traffic my router had when I
> reloaded the firewall rule script with a "rmmod" at the beginning.
I think you're absolutely right that by unloading ip_conntrack
while the box is handling packets gives you a greater chance
of triggering a problem. I remember having this kind of problem
occasionally with NIC drivers and ip_conntrack_ftp.
See also this item on the netfilter TODO list:
TO BE INVESTIGATED:
[...]
- ip_conntrack rmmod loop (sometimes, Yan's patch?)
Could be your problem, couldn't it ?
Not a lot I can say to help you any further though...
If you can reproduce this, you may inform netfilter-devel
of your workload and test scenario, which could help
developers. Is your firewall an SMP (multiprocessor)
machine, by any chance ?
Regards,
Filip
next prev parent reply other threads:[~2003-01-14 16:58 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-14 9:37 filtering asym. routing without "ip_conntrack: table full"? Christian Hammers
2003-01-14 12:12 ` /proc/net/ip_conntrack filling without ipt_conntrack.o loaded? Christian Hammers
2003-01-14 13:43 ` Filip Sneppe
2003-01-14 15:06 ` Christian Hammers
2003-01-14 15:49 ` Filip Sneppe
2003-01-14 16:01 ` Christian Hammers
2003-01-14 16:09 ` Filip Sneppe
2003-01-14 16:37 ` Christian Hammers
2003-01-14 16:58 ` Filip Sneppe [this message]
2003-01-21 6:16 ` filtering asym. routing without "ip_conntrack: table full"? ard-netfilter
2003-01-21 10:45 ` Jakub Jakacki
2003-01-29 2:14 ` Arnt Karlsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1042563532.465.1024.camel@xbox \
--to=filip.sneppe@cronos.be \
--cc=ch@westend.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.