All, I am having some issues with servers that run caching DNS and iptables -- the ip_conntrack table overflows resulting in dropped packets. I am wondering what the value is in tracking connections whose source and destination are both 127.0.0.1 -- would it be possible to flag such packets so that no ip_conntrack table entry gets created for them at all? For my servers this can represent a third of the total tracked connections (ip_conntrack_max is set at 65536 on systems with 2GB of RAM). I know this can be addressed other ways -- I am working to get the server upgraded from its current kernel (2.4.21) to something newer so that I can change the default ip_conntrack timeout value (I don't really want to increase the ip_conntrack_max), but thought I should bring this up. Perhaps in other situations it's desirable to track localhost connections, but I can't think of a good reason why. Thanks, Richard Wilson richard dot wilson at eds dot com
