Fwd: Re: Conntrack & Unreplied exhausts hashsize

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 
Very interesting find ! So, what that means is that the 5 days timeout will not 
hurt other connections, because unreplied connections will get removed
automatically if new connections need the spot ?
That would definitely explain why the total of unreplied connection went down a 
little bit on June 8th at 4am: http://4u.1nw.eu/conntrack_stat3.png
We did fix other parameters earlier, like enabling tcp_tw_reuse and directing localhost traffic to NOTRACK. It would explain why we didn't get more of those 
`table full, dropping packet`.

- Julien

On 2012-06-09 14:14, Marco Padovan wrote:


Looks like it's an intendend behaviour:

http://www.netfilter.org/documentation/FAQ/netfilter-faq-3.html#ss3.17 [1]

<
Jun 5 09:57:51 web-front1 kernel: [7177214.445925] nf_conntrack: table full, 
dropping packet.
So I started tuning the kernel of one member of the farm. This server has 2 
interfaces: one public and one in the LAN. The problem is on the public
interface, it seems that connections in the UNREPLIED state continue to grow 
and never get cleaned up by conntrack. Below is a diagram that shows the
issue:

http://4u.1nw.eu/conntrack_stat3.png [2]

The orange line counts connections on the public IP that are in the
unreplied state. The script parses /etc/net/ip_conntrack every 10 minutes
(nothing fancy, see https://gist.github.com/2901349 [3] ).

My questions are:
Should these UNREPLIED connection get removed from conntrack after a certain 
timeout?

What is the parameter that controls this timeout ?
I'm afraid it might be `net.netfilter.nf_conntrack_tcp_timeout_established = 432000`, which is 5 days. If this is the case, would it be safe to set this 
parameter to 300 seconds instead (5 minutes) ?
Note: apache runs with `KeepAlive On` and `KeepAliveTimeout 3`, in case this 
might be relevant.

Thanks a lot,
Julien




Links:
------
[1] http://www.netfilter.org/documentation/FAQ/netfilter-faq-3.html#ss3.17
[2] http://4u.1nw.eu/conntrack_stat3.png
[3] https://gist.github.com/2901349

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux