RE: Ip_conntrack enhancement idea

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Eric,

Thanks, I've been trying to find out more information on NOTRACK -- do you know what kernel revision it came with?

Rich

-----Original Message-----
From: Eric Leblond [mailto:eric@xxxxxx] 
Sent: Tuesday, October 17, 2006 3:08 PM
To: Wilson, Richard E
Cc: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: Ip_conntrack enhancement idea

Le mardi 17 octobre 2006 à 16:46 -0500, Wilson, Richard E a écrit :
> All,
> 
> I am having some issues with servers that run caching DNS and iptables
> -- the ip_conntrack table overflows resulting in dropped packets.  I am
> wondering what the value is in tracking connections whose source and
> destination are both 127.0.0.1 -- would it be possible to flag such
> packets so that no ip_conntrack table entry gets created for them at
> all?  For my servers this can represent a third of the total tracked
> connections (ip_conntrack_max is set at 65536 on systems with 2GB of
> RAM).

As I said in a previous mail you can really increase this value. The
default setting of conntrack size is computed to firewalling server and
it has to be increased to be used on server used as gateway. 

> 
> I know this can be addressed other ways -- I am working to get the
> server upgraded from its current kernel (2.4.21) to something newer so
> that I can change the default ip_conntrack timeout value (I don't really
> want to increase the ip_conntrack_max), but thought I should bring this
> up.  Perhaps in other situations it's desirable to track localhost
> connections, but I can't think of a good reason why.

You can use the NOTRACK target to do so.

BR,

> 
> Thanks,
> 
> Richard Wilson
> 
> richard dot wilson at eds dot com
> 
> 




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux