> I've setuped a bridge with l7-filter and ipp2p. We have every day + or > - between 10Mbits and 30 Mbits P2P traffic from + or - 450 customers. > When traffic increase. I've got this kind of error message : > > Feb 23 14:26:19 gestor1 kernel: printk: 38 messages suppressed. > Feb 23 14:26:19 gestor1 kernel: ip_conntrack: table full, dropping packet. Not necessarily the answer you were looking for, but this is what connlimit was written for. Connlimit will limit the number of parallel TCP connections per host. Do something like: iptables -t mangle -A PREROUTING -p tcp -i eth0 --dport 1024: \ -m connlimit --connlimit-above 30 -j DROP connlimit is not in the vanilla kernel at the minute; you need to patch with pom. You can download pom from http://ipset.netfilter.org/install.html, but you may need to patch pom first! See http://lists.netfilter.org/pipermail/netfilter-devel/2006-July/025090.html Andy Beverley _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
