From: Athan <netfilter@miggy.org>
To: Amit Kumar Gupta <amitkumar.gupta@wipro.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Reg iptables Connection tracking
Date: Fri, 10 Jan 2003 16:39:22 +0000 [thread overview]
Message-ID: <20030110163922.GF22487@miggy.org> (raw)
In-Reply-To: <4223A04BF7D1B941A25246ADD0462FF56477FD@blr-m3-msg.wipro.com>
[-- Attachment #1: Type: text/plain, Size: 2142 bytes --]
On Fri, Jan 10, 2003 at 04:04:54PM +0530, Amit Kumar Gupta wrote:
> On Friday 10 January 2003 12:37 am, you wrote:
> > Well I am able to see upto this point. I went through the code flow
> > also. But I don't know why it prints the message(Even if increasing
> > the value from 1016 to 4096 by hardcoding it in the kernel). Another
> > issue is I don't know how it is taking 1016. As There is no /proc file
> > system, and by default it shoud take 0.
I missed this before, sorry. Is this due to specifically disabling
/proc and/or specifically not mounting it for security reasons? If not,
just enable it and mount it already.
> Not that this helps much. The real problem is WHAT is the conntrack
> table filling with. And I suspect it may be nothing, that you have a
> problem because it is trying to use /proc/net/conntrack and there IS no
> /proc/net/conntrack. The message may be triggering incorrectly,
> presuming that since it cannot write another entry to
> /proc/net/conntrack that the table is full.
Er, no. That's not what /proc/net/ip_conntrack is. It doesn't EXIST
as such until you try to read from it. All of /proc is virtual. Just
because you have no /proc and can't get at 'files' in it doesn't mean
the SOURCE of their data doesn't exist.
> /proc in order to work. If I think of something else I'll email you
> again. Sorry.
I'd certainly recommend having /proc around as well. There's the
sysctl() interface for querying/changing some values too. Aha! You can
set net/ipv4/ip_conntrack_max from this too *8-):
sysctl -w net/ipv4/ip_conntrack_max=32768
If your kernel doesn't have the sysctl support then, er, you're kind of
shooting yourself in the foot for tuning things at ALL, including things
like turning IP forwarding on and off, global TCP ECN support, SYN
cookies etc....
HTH,
-Ath
--
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
Finger athan(at)fysh.org for PGP key
"And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]
next prev parent reply other threads:[~2003-01-10 16:39 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-10 10:34 Reg iptables Connection tracking Amit Kumar Gupta
2003-01-10 16:39 ` Athan [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-01-14 12:56 Amit Kumar Gupta
2003-01-14 14:09 ` Filip Sneppe
2003-01-11 5:06 Amit Kumar Gupta
2003-01-10 14:25 Amit Kumar Gupta
2003-01-10 5:03 Amit Kumar Gupta
2003-01-10 5:32 ` Joel Newkirk
2003-01-10 14:02 ` Athan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030110163922.GF22487@miggy.org \
--to=netfilter@miggy.org \
--cc=amitkumar.gupta@wipro.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.