On Friday 23 February 2007 16:28, Sébastien CRAMATTE wrote:
> Hello
>
> I've setuped a bridge with l7-filter and ipp2p. We have every day + or
> - between 10Mbits and 30 Mbits P2P traffic from + or - 450 customers.
> When traffic increase. I've got this kind of error message :
>
> Feb 23 14:26:19 gestor1 kernel: printk: 38 messages suppressed.
> Feb 23 14:26:19 gestor1 kernel: ip_conntrack: table full, dropping packet.
>
> The server is celeron pentium 4 based 3Ghz + 512Mb ram
> Does anyone could suggest me what are the best value for
>
> net.ipv4.netfilter.ip_conntrack_max
> net.ipv4.netfilter.ip_conntrack_tcp_timeout_established
leave the timeouts as is, and focus on the conntrack_max,
lnstat command is your friend, will help to find the magic numbers:
lnstat -f ip_conntrack -i 1 -c 1
this will tell you the number of entries used in real time, so you can put a
very large value in ip_conntrack_max and monitor with lnstat and crontab like
this:
*/5 * * * * root date >> /var/log/conntrack_watchdog.log; lnstat -f
ip_conntrack -i 1 -c 1 >> /var/log/conntrack_watchdog.log
After a couple of days you are ready to put the perfect number for you
personal enviroment.
Each conntrack entrie is about 350bytes from non-swappable kernel memory, so
you can make your maths to know how much RAM is consumed.
> Might be I can tune other kernel value ?
yes, in large setups is recommended to change the conntrack hash table size:
modrobe ip_conntrack hashsize=xxx
to avoid to have a large ammount of entries in the same bucket, this can have
performmance issues, you can check your acctual hash table size looking at
dmesg.
--
Luciano
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
|