* Clearing conntrack? Extending size of conntrack?
@ 2005-09-29 22:16 James Strickland
2005-09-29 22:34 ` Fabien Germain
0 siblings, 1 reply; 3+ messages in thread
From: James Strickland @ 2005-09-29 22:16 UTC (permalink / raw)
To: netfilter
Hello, usually after about a day up uptime on my router, the ppp
connection to my isp stays alive, but packets are not forwarded and
nated through wan/lan interfaces. My guess is that the conntrack is
getting too large over this time (my brothers node uses nonsense like
kazaa and bear share). Is there a way to increase the conntrack size,
or to clear it via /proc?
thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Clearing conntrack? Extending size of conntrack?
2005-09-29 22:16 Clearing conntrack? Extending size of conntrack? James Strickland
@ 2005-09-29 22:34 ` Fabien Germain
2005-09-30 12:39 ` Henrik Nordstrom
0 siblings, 1 reply; 3+ messages in thread
From: Fabien Germain @ 2005-09-29 22:34 UTC (permalink / raw)
To: netfilter
Hi,
On 9/30/05, James Strickland <jstic04@cp.centennialcollege.ca> wrote:
> Hello, usually after about a day up uptime on my router, the ppp
> connection to my isp stays alive, but packets are not forwarded and
> nated through wan/lan interfaces. My guess is that the conntrack is
> getting too large over this time (my brothers node uses nonsense like
> kazaa and bear share). Is there a way to increase the conntrack size,
> or to clear it via /proc?
You can set an higher value in /proc/sys/net/ipv4/ip_conntrack_max.
And to check the number of current tracked connections : cat
/proc/net/ip_conntrack | wc -l
Fabien
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Clearing conntrack? Extending size of conntrack?
2005-09-29 22:34 ` Fabien Germain
@ 2005-09-30 12:39 ` Henrik Nordstrom
0 siblings, 0 replies; 3+ messages in thread
From: Henrik Nordstrom @ 2005-09-30 12:39 UTC (permalink / raw)
To: Fabien Germain; +Cc: netfilter
On Fri, 30 Sep 2005, Fabien Germain wrote:
> You can set an higher value in /proc/sys/net/ipv4/ip_conntrack_max.
you really SHOULD set the size by increasing the hash table size to
conntrack. Increasing ip_conntrack_max should only be seen as a quick
patch until you can reload the module with a larger hash table.
Performance will suffer noticeably until the hash size is increased.
> And to check the number of current tracked connections : cat > /proc/net/ip_conntrack | wc -l
Much better to get this value from the slab cache
awk '/^ip_conntrack / {print $2}' /proc/slabinfo
Reading /proc/net/ip_conntrack like suggested above can easily kill the
performance of your firewall if done frequently, and in addition may give
slightly misleadig results as the data is being changed while it is being
read, not to mention that reading /proc/net/ip_conntrack is very slow when
the traffic and number of entries is high.
Regards
Henrik
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-09-30 12:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-09-29 22:16 Clearing conntrack? Extending size of conntrack? James Strickland
2005-09-29 22:34 ` Fabien Germain
2005-09-30 12:39 ` Henrik Nordstrom
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox