> I've setuped a bridge with l7-filter and ipp2p. We have every day + or
> - between 10Mbits and 30 Mbits P2P traffic from + or - 450 customers.
> When traffic increase. I've got this kind of error message :
>
> Feb 23 14:26:19 gestor1 kernel: printk: 38 messages suppressed.
> Feb 23 14:26:19 gestor1 kernel: ip_conntrack: table full, dropping packet.
Not necessarily the answer you were looking for, but this is what
connlimit was written for. Connlimit will limit the number of parallel
TCP connections per host. Do something like:
iptables -t mangle -A PREROUTING -p tcp -i eth0 --dport 1024: \
-m connlimit --connlimit-above 30 -j DROP
connlimit is not in the vanilla kernel at the minute; you need to patch
with pom. You can download pom from
http://ipset.netfilter.org/install.html, but you may need to patch pom
first! See
http://lists.netfilter.org/pipermail/netfilter-devel/2006-July/025090.html
Andy Beverley
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
