> For now it has been patched setting ip_conntrack_max to 65536 but > connections still grow indefinitely (seems NAT never drops old > connections). Any idea of the reasons? Could be related with the kernel > version (2 years old) we're running? I've a similar phenomen using kernel 2.6.18-4-vserver-686 : conntrack -L|wc -l 3340 nearly all started at a similar time from two ports to random example iptstate: Source Destination Proto State TTL 1.2.3.4:42573 1.2.3.4:842 tcp ESTABLISHED 10:44:43 1.2.3.4:42574 1.2.3.4:1501 tcp ESTABLISHED 10:43:51 1.2.3.4:42573 1.2.3.4:1392 tcp ESTABLISHED 10:43:20 well :- on my wish list now something like that: conntrack -D -s 1.2.3.4 -d 1.2.3.4 -p tcp --orig-port-src 42573 --orig-port-dst *
