| To: | netfilter@lists.netfilter.org |
|---|---|
| Subject: | Re: ip_conntrack growing indefinitely |
| From: | "G.W. Haywood" <ged@jubileegroup.co.uk> |
| Date: | Sat, 11 Aug 2007 11:19:08 +0100 (BST) |
| Delivered-to: | sp-com-lists@consult.net |
| Delivered-to: | netfilter-list1@securepoint.com |
| In-reply-to: | <200708110801.l7B81Oj2025252@mail3.jubileegroup.co.uk> |
| List-archive: | </pipermail/netfilter> |
| List-help: | <mailto:netfilter-request@lists.netfilter.org?subject=help> |
| List-id: | General discussion and user questions <netfilter.lists.netfilter.org> |
| List-post: | <mailto:netfilter@lists.netfilter.org> |
| List-subscribe: | <https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe> |
| List-unsubscribe: | <https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe> |
| References: | <200708110801.l7B81Oj2025252@mail3.jubileegroup.co.uk> |
| Sender: | netfilter-bounces@lists.netfilter.org |
Hi there, On Sat, 11 Aug 2007 fd4 wrote: > > For now it has been patched setting ip_conntrack_max to 65536 but > > connections still grow indefinitely (seems NAT never drops old > > connections). Any idea of the reasons? Could be related with the > > kernel version (2 years old) we're running? > > I've a similar phenomen using kernel 2.6.18-4-vserver-686 : > conntrack -L|wc -l > 3340 > nearly all started at a similar time from two ports to random > > example iptstate: > Source Destination Proto State TTL > 1.2.3.4:42573 1.2.3.4:842 tcp ESTABLISHED 10:44:43 > 1.2.3.4:42574 1.2.3.4:1501 tcp ESTABLISHED 10:43:51 > 1.2.3.4:42573 1.2.3.4:1392 tcp ESTABLISHED 10:43:20 > > well :- on my wish list now something like that: > conntrack -D -s 1.2.3.4 -d 1.2.3.4 -p tcp --orig-port-src 42573 > --orig-port-dst * I don't think it grows indefinitely. The timeout is five days. http://lists.netfilter.org/pipermail/netfilter-devel/2005-June/020081.html -- 73, Ged. |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: iptables/mac address filtering question, Канивец Николай |
|---|---|
| Next by Date: | NAT performance + table processing, Július Bemš |
| Previous by Thread: | Re: ip_conntrack growing indefinitely, Eric Leblond |
| Next by Thread: | Re: ip_conntrack growing indefinitely, fd4 |
| Indexes: | [Date] [Thread] [Top] [All Lists] |