Ben Tyler wrote:
I've been looking for information regarding increasing
the value of "/proc/sys/net/ipv4/ip_conntrack_max" on
my RHEL3 box running iptables/ip_masq. Any pointers
would be greatly appreciated.
I see about 200 lines of "kernel: ip_conntrack: table
full, dropping packet." in /var/log/messages each day.
The machine has 1GB of ram and performs no other
functions. It's current memory usage (less
buffers/cache) is about 150MB.
The current value of ip_conntrack_max which was set by
the RHEL installer is 65016. Can I increase this
value? If so how much?
Is there a better way to monitor the current number of
connections being tracked then `cat
/proc/net/ip_conntrack | wc -l` which takes about 30
seconds with this many connections.
Are there any other parameters I can increase to help
the performance of a system that only does ip_masq?
Thanks,
Ben
I had similar problems on my home firewall box running RH9. It was a
realy old, low spec PC (P266, 256MB RAM i think). I just kept increasing
the ip_conntrack_max value until I stopped seeing entries in the logs.
Not an exact figure but I probably increased the value by 1000 times its
default setting with no adverse affects - I just kept adding another
zero to the current setting until i stopped seeing errors ;). I wouldnt
recommend doing this on a production server but if its a home system or
a non-important box then it may be worth a try. Once you have a good
value make sure you create an init script so the setting is changed on
every reboot.
FYI, to increase the value just `echo new_value >
/proc/sys/net/ipv4/ip_conntrack_max` Its not kept in a config file
anywhere, the kernel sets it on boot depending on your amount of RAM.
If the box is doing nothing else then you should be able to increase the
value significantly - the gurus should be able to give a better idea
whats a 'safe' value.
Hope this helps
Jeff
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
