But still, The /proc/net/ip_conntrack should contain all connections tracked by that firewall (ie, passing through the firewall), am I right ?? On Sat, 25 Sep 2004 00:34:58 +0200, Michal Ludvig <mludvig@xxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi all, > > could someone please explain me what is the relation between the number > in /proc/sys/net/ipv4/ip_conntrack_max and number of lines in > /proc/net/ip_conntrack? > > On one of our very loaded firewalls (with 1GB RAM) we are still getting > "ip_conntrack: table full, dropping packet." message. We tried to tweak > all different parameters, e.g. hashsize to up to 1048576, > ip_conntrack_max, ip_conntrack_tcp_timeout_established, etc. > Unfortunately sooner or later the kernel always starts dropping packets. > At the same time however there are at most a few thousands of lines in > /proc/net/ip_conntrack. > > I instrumented the kernel to dump the same output via printk() once > ip_conntrack_count reaches ip_conntrack_max. When I set _max=128 and run > nmap through the firewall it of course very soon prints the "dropping > packets" message, but along with only 6 (=six!) lines of connections. > Where was the rest, 122 connections, lost? What does the > ip_conntrack_count actually count? > > Thanks in advance! > > Michal Ludvig > - -- > SUSE Labs mludvig@xxxxxxx > (+420) 296.545.373 http://www.suse.cz > Personal homepage http://www.logix.cz/michal > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBVKEQDDolCcRbIhgRAupGAKCF4F6Mvk0YARZMj5S21vI/95u71ACfWDn2 > UVB5lEV0YC58et/rvFbJEEY= > =AryG > -----END PGP SIGNATURE----- > > -- Mohamed Eldesoky www.eldesoky.net RHCE
