Hello Try ip_conntrack-timeouts at http://www.netfilter.org/documentation/pomlist/pom-extra.html I've never tried, but it may help you. Nuno Fernandes On Mon, 2003-04-28 at 14:00, gfzhang wrote: > i'm using iptables as NAT svr to my UNIV. my system is: > 2*xeron 2.4GHZ > 2GB mem > > after some time about a day I found that there is logging > messege on my screen like this : > Ip_conntrack table full drop pack > tones of such messages and all of the LAN user can't get > access to internet. > > cat /proc/sys/net/ipv4/ip_conntrack_max > 65536 > > when I cat /proc/net/ip_conntrack I found > a lot of dead transformed items the TIMEOUT is about 5days > obviously nobody is using my box but such items will last > for a long time before I reboot my box! > how can i flush them? > > in ip_conntrack_proto.c > I found the default timeout is 5DAYS > > I don't think it's necessary for me to maintain a tranform > for so long . > maybe I should change the default TIMEOUT TO 1DAY > anybody can help me to deal with it? > > thanks in advance. > > > -- Nuno Miguel Pais Fernandes <npf@xxxxxxxxxxx>
Attachment:
signature.asc
Description: This is a digitally signed message part
