On Tue, 4 Dec 2007, Benoit Plessis wrote:
>
>
> Krzysztof Oledzki a écrit :
>>
>>
>> On Tue, 4 Dec 2007, Corin Langosch wrote:
>>
>>> hi marc,
>>>
>>> yes, netfilter with conntrack is running. I saw errors some weeks ago, but
>>> i fixed them with:
>>>
>>> echo "Tuning network settings according to haproxy..."
>>> echo 1048576 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
>>
>> Never do that! Instead, increase the hashsize and {ip,nf}_conntrack_max is
>> going to be calculated automatically based on this value. If you have a
>> recent 2.6 kernel with conntrack compiled into the kernel all you need to
>> setup is a "ip_conntrack.hashsize=262144" kernel parameter.
>>
>> BTW: which kernel version are you you using?
>>
>> Best regards,
>>
>> Krzysztof Olędzki
>>
>> PS: Plase don't toppost.
>
> Tried with a 2.6.18 and a 2.6.22 and neither one them show an automatic
> adjustment like you said.
> fw1# cat /sys/module/ip_conntrack/parameters/hashsize
> 8190
> fw1# cat /proc/sys/net/ipv4/netfilter/cat ip_conntrack_max
> 65520
>
> fw1# echo 16380 > /sys/module/ip_conntrack/parameters/hashsize
> fw1# cat /proc/sys/net/ipv4/netfilter/cat ip_conntrack_max
> 65520
> => no change
>
> fw1# echo 8190 > /sys/module/ip_conntrack/parameters/hashsize
> fw1# echo 131040 > /proc/sys/net/ipv4/netfilter/cat ip_conntrack_max
> fw1# cat /sys/module/ip_conntrack/parameters/hashsize
> 8192
> => no change either
That is correct. It does not work this way when you resize the hash. If you do this, you have to adjust both variables manually.
BTW: Do not use 2.6.22 as it has two critical bugs both in the tcp stack (seq numbers generation) and the netfilter code (connection reopening). Instead, grab 2.6.22.14.
Best regards,
Krzysztof Olędzki Received on 2007/12/04 23:44
This archive was generated by hypermail 2.2.0 : 2007/12/05 00:30 CET