Krzysztof Oledzki a écrit :
>
>
> On Tue, 4 Dec 2007, Corin Langosch wrote:
>
>> hi marc,
>>
>> yes, netfilter with conntrack is running. I saw errors some weeks
>> ago, but i fixed them with:
>>
>> echo "Tuning network settings according to haproxy..."
>> echo 1048576 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
>
> Never do that! Instead, increase the hashsize and
> {ip,nf}_conntrack_max is going to be calculated automatically based on
> this value. If you have a recent 2.6 kernel with conntrack compiled
> into the kernel all you need to setup is a
> "ip_conntrack.hashsize=262144" kernel parameter.
>
> BTW: which kernel version are you you using?
>
> Best regards,
>
> Krzysztof Olędzki
>
> PS: Plase don't toppost.
Tried with a 2.6.18 and a 2.6.22 and neither one them show an automatic
adjustment like you said.
fw1# cat /sys/module/ip_conntrack/parameters/hashsize
8190
fw1# cat /proc/sys/net/ipv4/netfilter/cat ip_conntrack_max
65520
fw1# echo 16380 > /sys/module/ip_conntrack/parameters/hashsize
fw1# cat /proc/sys/net/ipv4/netfilter/cat ip_conntrack_max
65520
=> no change
fw1# echo 8190 > /sys/module/ip_conntrack/parameters/hashsize fw1# echo 131040 > /proc/sys/net/ipv4/netfilter/cat ip_conntrack_max fw1# cat /sys/module/ip_conntrack/parameters/hashsize8192
Interesting documentation about optimizing netfilter tracking: http://www.wallfire.org/misc/netfilter_conntrack_perf.txt
By the way there seem to be another useful value to tweak:
net.netfilter.nf_conntrack_tcp_timeout_established
with a default value of 432000, a conntrack entry may stay up to 5 days
in the table..
http://lists.netfilter.org/pipermail/netfilter/2005-March/059451.html
-- Benoit Plessis +33 4 67 36 42 59 <b.plessis#doyousoft.com> Ingénieur Réseau Responsable Infrastructure Système & Réseau. do|you|softReceived on 2007/12/04 23:34
This archive was generated by hypermail 2.2.0 : 2007/12/05 00:15 CET