Hello all!
I'm working for a small ISP and we have a questionable situation here.
Hope anybody will be able to help us.
We have a machine (one white IPv4) which does IPv4 masquerading for
clients in 192.168.0.0/16 subnetworks. Recently we noticed a growth of
/proc/net/nf_conntrack NAT translations table from about 5k lines to 40k
lines (30k translations to 1e100.net, port 5228). Okay, let the Google spy
users, fine but the situation has raised the following questions:
# grep ESTABLISHED /proc/net/nf_conntrack | wc -l
29560
# sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 32768 61000
# bc
61000-32768
28232
# sysctl net.netfilter.nf_conntrack_max
net.netfilter.nf_conntrack_max = 65536
1) How is that possible that number of ESTABLISHED connections is greater
than ephemeral post range?
2) Is net.ipv4.ip_local_port_range used for NAT translations?
3) I found suggestions that net.netfilter.nf_conntrack_max might be
greater than local port range count (greater than 65536). How the new
connections will be established in that case and is it even possible to
set it greater than 65536?
# cat /proc/net/nf_conntrack | awk '{print $9}' | grep sport=1
sport=1425
sport=1341
sport=1086
And no other ports below the 32768 value.
4) So, how is it possible for the system to use ports below 32768 in that
case?
5) Is there any way to see the entries in conntrack _expectations_ table?
Any help will be appreciated.
P. S.: I'm sorry if any HTML will leak. Lotus is really awful.
--
With best regards/Mit freundlichen Grüßen, Igor Chudov
TransTelecom-Volga JSC, Russian Federation
Leading Engineer/Network Maintainance Department,
Tel. (24/7/365): +7 937 266-51-34
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
