On Thursday 2013-03-07 18:21, Daniel L. Miller wrote: >>> >>> I've noticed that my connection tracking counters keep increasing - >>> /proc/sys/net/netfilter/nf_conntrack_count >>> and when it reaches /proc/sys/net/netfilter/nf_conntrack_max things break. >> >> Could it be you are being DDoSed? > > Anything's possible - but I don't have a high-visibility site. The connection > counter increments gradually - a new connection every couple of seconds or so. > > Trying to understand what's going on, I installed the "conntrack" tool. > conntrack -S yields: > entries 28752 > searched 27822 > found 11950927 > new 457431 > invalid 333 > ignore 347677 > delete 465404 > delete_list 428962 > insert 414575 > insert_failed 0 > drop 0 > early_drop 0 > icmp_error 0 > expect_new 0 > expect_create 0 > expect_delete 0 > search_restart 0 > > But more confusing is conntrack -L only shows 52 entries. You need to count in entries from different conntrack tables too. I see something similar, however: 18:42 ares07:/home/jengelh # conntrack -L >/dev/null; conntrack -L expect >/dev/null; cat /proc/sys/net/netfilter/nf_conntrack_count conntrack v1.4.0 (conntrack-tools): 32 flow entries have been shown. conntrack v1.4.0 (conntrack-tools): 0 expectations have been shown. 43 18:42 ares07:/home/jengelh # conntrack -L >/dev/null; conntrack -L expect >/dev/null; cat /proc/sys/net/netfilter/nf_conntrack_count conntrack v1.4.0 (conntrack-tools): 31 flow entries have been shown. conntrack v1.4.0 (conntrack-tools): 0 expectations have been shown. 42 That might be connections in state DYING, but perhaps Pablo has an idea what could be going on w.r.t. different numbers. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
