Re: [netfilter-core] iptables/conntrack in enterprise environment.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, May 29, 2003 at 01:13:47AM -0400, Preston A. Elder wrote:

> Hi,
> 
> I am in an enterprise environment and I'm having some problems with conntrack 
> specifically.

> They're running 2.4.20 kernels (mostly vanilla) with iptables 1.2.7a.

Do not use 2.4.20 if you want to use connection tracking.  2.4.20
connection tracking is totally broken due to a change introduced in the
core kernel.

Please do always use patch-o-matic from CVS.  The patch you want to
apply for fixing this bug is 10_confirm_fix.patch

Also, considering 

> echo 524280 >/proc/sys/net/ipv4/ip_conntrack_max

without using a larger hash size (modprobe ip_conntrack hashsize=foo,
wherer foo should be a prime number and in the range of 524280/2)

> to be re-directed to a local port, which is achieved with the command:
> /sbin/iptables -t nat -A PREROUTING -j DNAT -i eth0 -p tcp -d <ip-range> 
> - --destination-port 1024:65535 --to-destination <local_ip>:<local_port>
> 
> Every inbound connection incurs an entry in the connection tracking
> table.  It seems, however, that we may be overloading the conntrack
> system.  

I've seen systems with way more conntrack entries and higher bandwith.
Using NAT however, might have a big performance impact.

> The conntrack table itself very quickly grows - but it does not clean itself 
> up when the connection itself dissapears, instead it waits for some 
> pre-determined timeout value, 

With a non-broken kernel it is 2 minutes, that is TIME_WAIT of a TCP
socket.

> PreZ
> Systems Administrator
> Shadow Realm

-- 
- Harald Welte <laforge@xxxxxxxxxxxxx>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

Attachment: pgp00461.pgp
Description: PGP signature


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux