Re: strange errors

From: Corin Langosch <corinl#gmx.de>
Date: Wed, 05 Dec 2007 09:06:06 +0100

Benoit Plessis schrieb:
>
>
> Krzysztof Oledzki a écrit :
>>
>>
>> On Tue, 4 Dec 2007, Corin Langosch wrote:
>>
>>> hi marc,
>>>
>>> yes, netfilter with conntrack is running. I saw errors some weeks
>>> ago, but i fixed them with:
>>>
>>> echo "Tuning network settings according to haproxy..."
>>> echo 1048576 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
>>
>> Never do that! Instead, increase the hashsize and
>> {ip,nf}_conntrack_max is going to be calculated automatically based
>> on this value. If you have a recent 2.6 kernel with conntrack
>> compiled into the kernel all you need to setup is a
>> "ip_conntrack.hashsize=262144" kernel parameter.
>>
>> BTW: which kernel version are you you using?
>>
>> Best regards,
>>
>> Krzysztof Olędzki
>>
>> PS: Plase don't toppost.
>
> Tried with a 2.6.18 and a 2.6.22 and neither one them show an
> automatic adjustment like you said.
> fw1# cat /sys/module/ip_conntrack/parameters/hashsize
> 8190
> fw1# cat /proc/sys/net/ipv4/netfilter/cat ip_conntrack_max
> 65520
>
> fw1# echo 16380 > /sys/module/ip_conntrack/parameters/hashsize
> fw1# cat /proc/sys/net/ipv4/netfilter/cat ip_conntrack_max
> 65520
> => no change
>
> fw1# echo 8190 > /sys/module/ip_conntrack/parameters/hashsize
> fw1# echo 131040 > /proc/sys/net/ipv4/netfilter/cat ip_conntrack_max
> fw1# cat /sys/module/ip_conntrack/parameters/hashsize
> 8192
> => no change either
>
> Interesting documentation about optimizing netfilter tracking:
> http://www.wallfire.org/misc/netfilter_conntrack_perf.txt
>
>
> By the way there seem to be another useful value to tweak:
> net.netfilter.nf_conntrack_tcp_timeout_established
> with a default value of 432000, a conntrack entry may stay up to 5
> days in the table..
> http://lists.netfilter.org/pipermail/netfilter/2005-March/059451.html
>

thank's so far but
http://www.wallfire.org/misc/netfilter_conntrack_perf.txt does not seem to give working information:

modprobe ip_conntrack hashsize=262144
=> kernel: nf_conntrack_ipv4: Unknown parameter `hashsize'

however
echo 262144 > /sys/module/nf_conntrack/parameters/hashsize => works fine, but how can I see if this has really changed anything? cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max still shows 65536. Received on 2007/12/05 09:06

This archive was generated by hypermail 2.2.0 : 2007/12/05 09:15 CET