Hi there, On Sat, 11 Aug 2007 fd4 wrote: > > For now it has been patched setting ip_conntrack_max to 65536 but > > connections still grow indefinitely (seems NAT never drops old > > connections). Any idea of the reasons? Could be related with the > > kernel version (2 years old) we're running? > > I've a similar phenomen using kernel 2.6.18-4-vserver-686 : > conntrack -L|wc -l > 3340 > nearly all started at a similar time from two ports to random > > example iptstate: > Source Destination Proto State TTL > 1.2.3.4:42573 1.2.3.4:842 tcp ESTABLISHED 10:44:43 > 1.2.3.4:42574 1.2.3.4:1501 tcp ESTABLISHED 10:43:51 > 1.2.3.4:42573 1.2.3.4:1392 tcp ESTABLISHED 10:43:20 > > well :- on my wish list now something like that: > conntrack -D -s 1.2.3.4 -d 1.2.3.4 -p tcp --orig-port-src 42573 --orig-port-dst * I don't think it grows indefinitely. The timeout is five days. http://lists.netfilter.org/pipermail/netfilter-devel/2005-June/020081.html -- 73, Ged.
