Le 10/02/2012 08:58, Jean-Philippe Menil a écrit :
Le 10/02/2012 08:54, Eric Dumazet a écrit :
Le vendredi 10 février 2012 à 08:44 +0100, Jean-Philippe Menil a écrit :
No, the NetlinkEventsReliable is commented in the configuration file.
However, on the same hosts, i see strange things:
ths host boot with the following parameter:
net.netfilter.nf_conntrack_max=262144
net.netfilter.nf_conntrack_tcp_timeout_established=10800
nf_conntrack is loaded with the following parameter:
options nf_conntrack hashsize=262144
But it seems that the nf_conntrack_max reset to his default value
(65536) periodically.
Three days ago, i manually increase the nf_conntrack_max to 262144,
yesterday i see plenty of "nf_conntrack: table full, dropping packet".
checking the value, is fall down to 65536.
It's maybe not related, but i can't understand how the value can
change?
65536 is the default value when module is loaded.
Something unloads it and loads it again, and sysctl is not run after
this module load.
Yes, that's what i'm thinking.
And i found the culprit:
my lxc guest start with the default value (65536), and it seems to
reset the value on the hosts ...
Dropt the capabilites in the container isn't sufficiant.
I need to mount the /proc as read-only ...
--
Jean-Philippe Menil - Pôle réseau Service IRTS
DSI Université de Nantes
jean-philippe.menil@xxxxxxxxxxxxxx
Tel : 02.53.48.49.27 - Fax : 02.53.48.49.09
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
