Hi, I have a strange problem with nf_conntrack: If I will try to generate small amount of TCP sessions, (i.e. 10 sessions), then after closing this sessions (on the client side, by closing application) output from: wc /proc/net/ip_conntrack and cat /proc/sys/net/nf_conntrack_count is the same -> so I can see the same amount of sessions tracked by nf_conntrack. But during testing the system with i.e. 100 new TCP sessions/sec (terminated to the same server), after closing the sessions output from wc /proc/net/ip_conntrack if correct (near 0), but all this sessions seems to be staying in cat /proc/sys/net/nf_conntrack_count. After exceeding the condition nf_conntrack_count < nf_conntrack_max, of course I am getting table full, dropping packet info in log. Some workaround is to set max value to very huge number i.e. 1000000000, but after some times eventually I will get the same problem and reebot will be required. So, if anyone from experts here will know anything about the cause of this problem I will be very gratefull, thanks for any support m -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
