On Fri, 30 Sep 2005, Fabien Germain wrote:
You can set an higher value in /proc/sys/net/ipv4/ip_conntrack_max.
you really SHOULD set the size by increasing the hash table size to
conntrack. Increasing ip_conntrack_max should only be seen as a quick
patch until you can reload the module with a larger hash table.
Performance will suffer noticeably until the hash size is increased.
And to check the number of current tracked connections : cat > /proc/net/ip_conntrack | wc -l
Much better to get this value from the slab cache
awk '/^ip_conntrack / {print $2}' /proc/slabinfo
Reading /proc/net/ip_conntrack like suggested above can easily kill the
performance of your firewall if done frequently, and in addition may give
slightly misleadig results as the data is being changed while it is being
read, not to mention that reading /proc/net/ip_conntrack is very slow when
the traffic and number of entries is high.
Regards
Henrik
