|
hi,all,
I'm a newbie of netfilter.I have a problem on it. I think it maybe has
some bugs.
A month ago my gateway using linux2.4-7-10 can not forward any packets
because it's conntrack table is full, it displaies "ip_conntrack: table full,
dropping packet.".the memory of the gateway is 256M.
After that i do a experiment on it.
I set the variable hash_size 20, then the variabel ip_conntrack_max should
be 160.
I adjust the TCP timeout on established to 1 hours, and decrease the
udp timeout to 1/3 of original value.
I deny the broadcast packet to leave track in conntrack table by open the
condition '#if 0 ' to '#if 1' in header of function ip_conntrack_in .
I print the value of ip_conntrack_count in the header of function
init_conntrack.
After 2 days, the conntrack table is full, /var/log/messages display the
ip_conntrack_count is 167, and /proc/net/ip_conntrack is empty.
Why?!, Why the ip_conntrack_count is bigger than ip_conntrack_max?
Why is /proc/net/ip_conntrack is empty?
how can this occurs?
who can help me?
thanks in advance! |
