On Tue, 2003-01-14 at 13:12, Christian Hammers wrote: > Hello > > I had ipt_conntrack.o loaded (see last mail) and then removed. But still > my /proc/net/ip_conntrack got filled up. > Then I did "echo '10000' > /proc/sys/net/ipv4/ip_conntrack_max" and it > still raised. > Now, after waiting 10min or so the values are slightly falling (I had > fear that it crashed when reaching 0xffff).. > > Are the first two events signs for a bug or is it expected behaviour > that somehow the conntrack code remains in the kernel even if the module > has been removed? You sure it's not due to a typo ? It's ip_conntrack.o, not ipt_conntrack. After an rmmod, what does lsmod say ? About the high nuber of tracked connections, are you talking about /proc/net/ip_conntrack ? Before thinking of a bug, you should get a clear view of the type of traffic filling your connection tracking table. broadcasts ? Are these primarily ESTABLISHED connections, or UNREPLIED connections ? Are nimda infected IIS boxes scanning the whole ipv4 address range through your machine ? It takes only a couple of infected machines to generate a lot of traffic. So, what's the nature of the entries in /proc/net/ip_conntrack ? Regards, Filip
