* Determining number of active connections
@ 2009-03-10 14:18 jason.faulkner
2009-03-10 15:22 ` Erik Wasser
2009-03-11 9:16 ` Pablo Neira Ayuso
0 siblings, 2 replies; 4+ messages in thread
From: jason.faulkner @ 2009-03-10 14:18 UTC (permalink / raw)
To: netfilter
Hi all,
I'd like to be able to monitor (trend) the number of tracked connections in iptables; however, doing something like "cat /proc/net/ip_conntrack | wc -l" eats up too much CPU to run with regularity (we track somewhere in the realm of 200,000 connections).
Is there a way to just pull the total number? It'd be nice to know that we aren't even getting close to the number of connections set in the sysctl.
Thanks!
--
Jason Faulkner
Linux Systems Engineer
Mailtrust, a division of Rackspace
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Determining number of active connections
2009-03-10 14:18 Determining number of active connections jason.faulkner
@ 2009-03-10 15:22 ` Erik Wasser
2009-03-10 15:30 ` jason.faulkner
2009-03-11 9:16 ` Pablo Neira Ayuso
1 sibling, 1 reply; 4+ messages in thread
From: Erik Wasser @ 2009-03-10 15:22 UTC (permalink / raw)
To: netfilter; +Cc: jason.faulkner
On Tuesday 10 March 2009, jason.faulkner@mailtrust.com wrote:
> Hi all,
>
> I'd like to be able to monitor (trend) the number of tracked
> connections in iptables; however, doing something like "cat
> /proc/net/ip_conntrack | wc -l" eats up too much CPU to run with
> regularity (we track somewhere in the realm of 200,000 connections).
>
> Is there a way to just pull the total number? It'd be nice to know
> that we aren't even getting close to the number of connections set in
> the sysctl.
Hi,
check out the following files:
/proc/sys/net/ipv4/netfilter/{ip_conntrack_count,ip_conntrack_max}
--
So long... Fuzz
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Determining number of active connections
2009-03-10 15:22 ` Erik Wasser
@ 2009-03-10 15:30 ` jason.faulkner
0 siblings, 0 replies; 4+ messages in thread
From: jason.faulkner @ 2009-03-10 15:30 UTC (permalink / raw)
To: netfilter
-----Original Message-----
From: "Erik Wasser" <erik.wasser@iquer.net>
Sent: Tuesday, March 10, 2009 11:22am
To: netfilter@vger.kernel.org
Cc: jason.faulkner@mailtrust.com
Subject: Re: Determining number of active connections
>check out the following files:
>
>/proc/sys/net/ipv4/netfilter/{ip_conntrack_count,ip_conntrack_max}
Thanks for this information :) This is awesome for my new firewalls.
However, I have a few old 2.4 kernel firewalls (RHEL3), and they don't seem to have an ip_conntrack_count anywhere. Is there something for those?
--
Jason Faulkner
Linux Systems Engineer
Mailtrust, a division of Rackspace
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Determining number of active connections
2009-03-10 14:18 Determining number of active connections jason.faulkner
2009-03-10 15:22 ` Erik Wasser
@ 2009-03-11 9:16 ` Pablo Neira Ayuso
1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2009-03-11 9:16 UTC (permalink / raw)
To: jason.faulkner; +Cc: netfilter
jason.faulkner@mailtrust.com wrote:
> Hi all,
>
> I'd like to be able to monitor (trend) the number of tracked connections in iptables; however, doing something like "cat /proc/net/ip_conntrack | wc -l" eats up too much CPU to run with regularity (we track somewhere in the realm of 200,000 connections).
>
> Is there a way to just pull the total number? It'd be nice to know that we aren't even getting close to the number of connections set in the sysctl.
$ cat /proc/sys/net/netfilter/nf_conntrack_count
or with the conntrack-tools-0.9.11
# conntrack -C
--
"Los honestos son inadaptados sociales" -- Les Luthiers
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-03-11 9:16 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-03-10 14:18 Determining number of active connections jason.faulkner
2009-03-10 15:22 ` Erik Wasser
2009-03-10 15:30 ` jason.faulkner
2009-03-11 9:16 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox