On Friday 23 February 2007 16:28, Sébastien CRAMATTE wrote: > Hello > > I've setuped a bridge with l7-filter and ipp2p. We have every day + or > - between 10Mbits and 30 Mbits P2P traffic from + or - 450 customers. > When traffic increase. I've got this kind of error message : > > Feb 23 14:26:19 gestor1 kernel: printk: 38 messages suppressed. > Feb 23 14:26:19 gestor1 kernel: ip_conntrack: table full, dropping packet. > > The server is celeron pentium 4 based 3Ghz + 512Mb ram > Does anyone could suggest me what are the best value for > > net.ipv4.netfilter.ip_conntrack_max > net.ipv4.netfilter.ip_conntrack_tcp_timeout_established leave the timeouts as is, and focus on the conntrack_max, lnstat command is your friend, will help to find the magic numbers: lnstat -f ip_conntrack -i 1 -c 1 this will tell you the number of entries used in real time, so you can put a very large value in ip_conntrack_max and monitor with lnstat and crontab like this: */5 * * * * root date >> /var/log/conntrack_watchdog.log; lnstat -f ip_conntrack -i 1 -c 1 >> /var/log/conntrack_watchdog.log After a couple of days you are ready to put the perfect number for you personal enviroment. Each conntrack entrie is about 350bytes from non-swappable kernel memory, so you can make your maths to know how much RAM is consumed. > Might be I can tune other kernel value ? yes, in large setups is recommended to change the conntrack hash table size: modrobe ip_conntrack hashsize=xxx to avoid to have a large ammount of entries in the same bucket, this can have performmance issues, you can check your acctual hash table size looking at dmesg. -- Luciano _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
