All of lore.kernel.org
 help / color / mirror / Atom feed
* Re[2]: [LARTC] Connection Tracking - How Many???
@ 2003-09-26 17:32 Peteris Krumins
  2003-09-26 18:11 ` Daniel Chemko
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Peteris Krumins @ 2003-09-26 17:32 UTC (permalink / raw)
  To: lartc

Thursday, September 25, 2003, 10:35:39 PM, you wrote:

WDW> Sorry, I must have missed it when reading the netfilter howto. I
WDW> found it later when reading through it again: approx 32,000 connections
WDW> per 512 megs of ram.

Wrong.
1 conntrack entry = 292 Bytes.
512*1024 = 524800 KiloBytes
524800*1024 = 537395200 Bytes

537395200 / 292  = 1840394 connections.

Of course this would simply kill the cpu.
I am doing 35000 connection trackings at the moment at
aprox. less than 80mb of ram on 266Mhz PII..


P.Krumins

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 4+ messages in thread
* RE: Re[2]: [LARTC] Connection Tracking - How Many???
  2003-09-26 17:32 Re[2]: [LARTC] Connection Tracking - How Many??? Peteris Krumins
@ 2003-09-26 18:11 ` Daniel Chemko
  2003-09-26 21:10 ` Walter D. Wyndroski
  2003-09-29 19:23 ` Damjan
  2 siblings, 0 replies; 4+ messages in thread
From: Daniel Chemko @ 2003-09-26 18:11 UTC (permalink / raw)
  To: lartc

292 Bytes: Is that for just 'IP' CONNTRACKS, or is that for 'IP/TCP' and
'IP/UDP' tracking? I see them storing a lot more information for any
tracking of Layer 7 protocols, etc..

Example: 
FTP uses a structure called ip_ct_ftp_expect which is created for every
FTP session created. It stores 10 bytes. This might not be that large
compared to the rest of the conntrack, but I can see that more complex
protocols could add quite a bit more.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Re[2]: [LARTC] Connection Tracking - How Many???
  2003-09-26 17:32 Re[2]: [LARTC] Connection Tracking - How Many??? Peteris Krumins
  2003-09-26 18:11 ` Daniel Chemko
@ 2003-09-26 21:10 ` Walter D. Wyndroski
  2003-09-29 19:23 ` Damjan
  2 siblings, 0 replies; 4+ messages in thread
From: Walter D. Wyndroski @ 2003-09-26 21:10 UTC (permalink / raw)
  To: lartc

From the documentation links on www.netfilter.org -->
http://iptables-tutorial.frozentux.net/iptables-tutorial.html

How many connections that the connection tracking table can hold depends
upon a variable that can be set through the ip-sysctl functions in recent
kernels. The default value held by this entry varies heavily depending on
how much memory you have. On 128 MB of RAM you will get 8192 possible
entries, and at 256 MB of RAM, you will get 16376 entries. You can read and
set your settings through the /proc/sys/net/ipv4/ip_conntrack_max setting.

Walt


----- Original Message ----- 
From: "Peteris Krumins" <newsgroups@lf.lv>
To: "Walter D. Wyndroski" <wdwrn@friendlycity.net>
Cc: <lartc@mailman.ds9a.nl>
Sent: Friday, September 26, 2003 1:32 PM
Subject: Re[2]: [LARTC] Connection Tracking - How Many???


> Thursday, September 25, 2003, 10:35:39 PM, you wrote:
>
> WDW> Sorry, I must have missed it when reading the netfilter howto. I
> WDW> found it later when reading through it again: approx 32,000
connections
> WDW> per 512 megs of ram.
>
> Wrong.
> 1 conntrack entry = 292 Bytes.
> 512*1024 = 524800 KiloBytes
> 524800*1024 = 537395200 Bytes
>
> 537395200 / 292  = 1840394 connections.
>
> Of course this would simply kill the cpu.
> I am doing 35000 connection trackings at the moment at
> aprox. less than 80mb of ram on 266Mhz PII..
>
>
> P.Krumins
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>
****************************************************************************
******************
> * This message has been scanned by CityNET's email scanner for viruses and
dangerous content *
> * and is believed to be clean.  CityNET is proud to use MailScanner.  For
more information   *
> * concerning MailScanner, visit http://www.mailscanner.info
*
>
****************************************************************************
******************
>



**********************************************************************************************
* This message has been scanned by CityNET's email scanner for viruses and dangerous content *
* and is believed to be clean.  CityNET is proud to use MailScanner.  For more information   *
* concerning MailScanner, visit http://www.mailscanner.info                                  *
**********************************************************************************************

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Re[2]: [LARTC] Connection Tracking - How Many???
  2003-09-26 17:32 Re[2]: [LARTC] Connection Tracking - How Many??? Peteris Krumins
  2003-09-26 18:11 ` Daniel Chemko
  2003-09-26 21:10 ` Walter D. Wyndroski
@ 2003-09-29 19:23 ` Damjan
  2 siblings, 0 replies; 4+ messages in thread
From: Damjan @ 2003-09-29 19:23 UTC (permalink / raw)
  To: lartc

> >From the documentation links on www.netfilter.org -->
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> 
> How many connections that the connection tracking table can hold depends
> upon a variable that can be set through the ip-sysctl functions in recent
> kernels. The default value held by this entry varies heavily depending on
> how much memory you have. On 128 MB of RAM you will get 8192 possible
> entries, and at 256 MB of RAM, you will get 16376 entries. You can read and
> set your settings through the /proc/sys/net/ipv4/ip_conntrack_max setting.

That's the default, you can increase that through the
/proc/sys/net/ipv4/ip_conntrack_max setting. 
Also you may need to increase the "hashsize=" parameter when loading the
ip_conntrack module.

-- 
Damjan Georgievski
jabberID: damjan@bagra.net.mk
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-09-29 19:23 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-09-26 17:32 Re[2]: [LARTC] Connection Tracking - How Many??? Peteris Krumins
2003-09-26 18:11 ` Daniel Chemko
2003-09-26 21:10 ` Walter D. Wyndroski
2003-09-29 19:23 ` Damjan

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.