Hi, Could you please specify your kernel version ? BR, Le jeudi 27 août 2009 à 13:13 +0200, Michał Sewera a écrit : > Hi, > > I have a strange problem with nf_conntrack: > > If I will try to generate small amount of TCP sessions, (i.e. 10 > sessions), then after closing this sessions (on the client side, by > closing application) output from: > wc /proc/net/ip_conntrack > and > cat /proc/sys/net/nf_conntrack_count > > is the same -> so I can see the same amount of sessions tracked by nf_conntrack. > > > But during testing the system with i.e. 100 new TCP sessions/sec > (terminated to the same server), after closing the sessions output > from wc /proc/net/ip_conntrack if correct (near 0), but all this > sessions seems to be staying in cat /proc/sys/net/nf_conntrack_count. > > After exceeding the condition nf_conntrack_count < nf_conntrack_max, > of course I am getting table full, dropping packet info in log. > > Some workaround is to set max value to very huge number i.e. > 1000000000, but after some times eventually I will get the same > problem and reebot will be required. > > So, if anyone from experts here will know anything about the cause of > this problem I will be very gratefull, > > thanks for any support > > m > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Eric Leblond <eleblond@xxxxxx> INL: http://www.inl.fr/ NuFW: http://www.nufw.org/ EdenWall: http://www.edenwall.com/ -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
