On Thu, May 29, 2003 at 01:13:47AM -0400, Preston A. Elder wrote: > Hi, > > I am in an enterprise environment and I'm having some problems with conntrack > specifically. > They're running 2.4.20 kernels (mostly vanilla) with iptables 1.2.7a. Do not use 2.4.20 if you want to use connection tracking. 2.4.20 connection tracking is totally broken due to a change introduced in the core kernel. Please do always use patch-o-matic from CVS. The patch you want to apply for fixing this bug is 10_confirm_fix.patch Also, considering > echo 524280 >/proc/sys/net/ipv4/ip_conntrack_max without using a larger hash size (modprobe ip_conntrack hashsize=foo, wherer foo should be a prime number and in the range of 524280/2) > to be re-directed to a local port, which is achieved with the command: > /sbin/iptables -t nat -A PREROUTING -j DNAT -i eth0 -p tcp -d <ip-range> > - --destination-port 1024:65535 --to-destination <local_ip>:<local_port> > > Every inbound connection incurs an entry in the connection tracking > table. It seems, however, that we may be overloading the conntrack > system. I've seen systems with way more conntrack entries and higher bandwith. Using NAT however, might have a big performance impact. > The conntrack table itself very quickly grows - but it does not clean itself > up when the connection itself dissapears, instead it waits for some > pre-determined timeout value, With a non-broken kernel it is 2 minutes, that is TIME_WAIT of a TCP socket. > PreZ > Systems Administrator > Shadow Realm -- - Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
pgp00461.pgp
Description: PGP signature
