* conntrack error
@ 2005-02-11 10:55 Piotrek Kaczmarek
2005-02-11 13:07 ` Jason Opperisano
0 siblings, 1 reply; 5+ messages in thread
From: Piotrek Kaczmarek @ 2005-02-11 10:55 UTC (permalink / raw)
To: netfilter
Hi,
I encountered the following situation - when there are around 20000 connections
"cat /proc/net/ip_conntrack" doesn't display all connections and outputs
"cat: No space left on device" error. If I patch kernel with POM and 'nth' module
(only patch, don't load the module) the same happens around 17000 connections.
It happenes both with 2.6.9 and 2.6.10 kernels.
Why is it so? Is this matter of memory limit or something else?
Thank you in advantage,
--
Piotrek Kaczmarek
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: conntrack error
2005-02-11 10:55 conntrack error Piotrek Kaczmarek
@ 2005-02-11 13:07 ` Jason Opperisano
2005-02-11 15:22 ` Piotrek Kaczmarek
0 siblings, 1 reply; 5+ messages in thread
From: Jason Opperisano @ 2005-02-11 13:07 UTC (permalink / raw)
To: netfilter
On Fri, 2005-02-11 at 05:55, Piotrek Kaczmarek wrote:
> Hi,
> I encountered the following situation - when there are around 20000 connections
> "cat /proc/net/ip_conntrack" doesn't display all connections and outputs
> "cat: No space left on device" error. If I patch kernel with POM and 'nth' module
> (only patch, don't load the module) the same happens around 17000 connections.
> It happenes both with 2.6.9 and 2.6.10 kernels.
>
> Why is it so? Is this matter of memory limit or something else?
what does:
sysctl net.ipv4.netfilter.ip_conntrack_max
say? i don't suppose it would be quite that simple, but might as well
start there.
-j
--
"Son, when you participate in sporting events, it's not whether you
win or lose: it's how drunk you get."
--The Simpsons
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: conntrack error
2005-02-11 13:07 ` Jason Opperisano
@ 2005-02-11 15:22 ` Piotrek Kaczmarek
2005-02-11 15:33 ` Jason Opperisano
0 siblings, 1 reply; 5+ messages in thread
From: Piotrek Kaczmarek @ 2005-02-11 15:22 UTC (permalink / raw)
To: netfilter
On Fri, Feb 11, 2005 at 01:07:36PM +0000, Jason Opperisano wrote:
>
> On Fri, 2005-02-11 at 05:55, Piotrek Kaczmarek wrote:
> > Hi,
> > I encountered the following situation - when there are around 20000 connections
> > "cat /proc/net/ip_conntrack" doesn't display all connections and outputs
> > "cat: No space left on device" error. If I patch kernel with POM and 'nth' module
> > (only patch, don't load the module) the same happens around 17000 connections.
> > It happenes both with 2.6.9 and 2.6.10 kernels.
> >
> > Why is it so? Is this matter of memory limit or something else?
>
> what does:
>
> sysctl net.ipv4.netfilter.ip_conntrack_max
>
> say? i don't suppose it would be quite that simple, but might as well
> start there.
# sysctl net.ipv4.netfilter.ip_conntrack_max
net.ipv4.netfilter.ip_conntrack_max = 30000
--
Piotr Kaczmarek
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: conntrack error
2005-02-11 15:22 ` Piotrek Kaczmarek
@ 2005-02-11 15:33 ` Jason Opperisano
2005-02-11 16:32 ` Piotrek Kaczmarek
0 siblings, 1 reply; 5+ messages in thread
From: Jason Opperisano @ 2005-02-11 15:33 UTC (permalink / raw)
To: netfilter
On Fri, Feb 11, 2005 at 04:22:17PM +0100, Piotrek Kaczmarek wrote:
> # sysctl net.ipv4.netfilter.ip_conntrack_max
> net.ipv4.netfilter.ip_conntrack_max = 30000
i assume you set that manually, as i don't think there's an amount
of physical RAM that would result in 30000 on the dot... speaking of
which--how much physical RAM does this machine have? you would need 512
MB RAM for ip_conntrack_max to be automatically calculated to 32768,
even though the conntrack table would only really use around 12 MB of
kernel memory. also--is this machine dedicated solely to firewalling,
or is there something else chewing up your RAM?
-j
--
"I have thought this through. First, I will send Bart the money to
fly home. Then I will murder him."
--The Simpsons
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: conntrack error
2005-02-11 15:33 ` Jason Opperisano
@ 2005-02-11 16:32 ` Piotrek Kaczmarek
0 siblings, 0 replies; 5+ messages in thread
From: Piotrek Kaczmarek @ 2005-02-11 16:32 UTC (permalink / raw)
To: netfilter
On Fri, Feb 11, 2005 at 03:33:22PM +0000, Jason Opperisano wrote:
> On Fri, Feb 11, 2005 at 04:22:17PM +0100, Piotrek Kaczmarek wrote:
> > # sysctl net.ipv4.netfilter.ip_conntrack_max
> > net.ipv4.netfilter.ip_conntrack_max = 30000
>
> i assume you set that manually, as i don't think there's an amount
> of physical RAM that would result in 30000 on the dot... speaking of
> which--how much physical RAM does this machine have? you would need 512
> MB RAM for ip_conntrack_max to be automatically calculated to 32768,
> even though the conntrack table would only really use around 12 MB of
> kernel memory. also--is this machine dedicated solely to firewalling,
> or is there something else chewing up your RAM?
Yes, I set it by hand, I have 256mb of ram, currently there are ~17000 connections
and 'free' shows 70mb of free memory. That machine is dedicated to routing/firewalling
--
Piotr Kaczmarek
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2005-02-11 16:32 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-02-11 10:55 conntrack error Piotrek Kaczmarek
2005-02-11 13:07 ` Jason Opperisano
2005-02-11 15:22 ` Piotrek Kaczmarek
2005-02-11 15:33 ` Jason Opperisano
2005-02-11 16:32 ` Piotrek Kaczmarek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox