Hi,
We have a theory about the cause of your problem; when a connection is
established thorugh your firewall an entry is created in a table that
track these connections. As you already know these connections can be seen
by reading the file /proc/net/ip_conntrack. The entries in this table are
removed 2 minutes _after_ the (TCP) connection is terminated. The reason
that the entry is not removed immediatly is that TCP keep the socket open
for a while after the connection is closed, to answer retransmitted FIN
packets. If the traffic that goes through the firewall consist of many
short connections (e.g. web traffic), the table that track the connections
may be filled with entries for which the actual connection is already
closed. You can check this by looking for connections that have the label
TIME_WAIT when you cat/grep ip_conntrack.
Connection tracking in netfilter allows 8192 connections with 128M memory
(calculations based on comments in ip_conntrack_core.c). Check your kernel
log for a line like ip_conntrack (1024 buckets, 8192 max), the max is the
max number of connections allowed. You should also check your kernel log
for lines stating Can't allocate conntrack. or ip_conntrack: table
full, dropping packet. which indicate a problem with memory or the max
limit.
On April 9th we posted a patch to netfilter/iptables that can be used to
specify how long an entry in the connection tracking table should remain
in the table after the actual connection is terminated. See:
http://lists.samba.org/pipermail/netfilter-devel/2002-April/004076.html
for the patch and a description of it.
There must be others who use netfilter in a production environment like
yours. Anyone on netfilter-devel have experiences with this high
connection load? or does anyone have another solution to this problem?
Maybe you could just recompile with a higher limit.
If you use our patch we would be very interested in hearing about your
experiences (or any bugs) or any other solutions you may find.
Regards,
Mikkel, Torben, Carsten
{mrb,mariachi,stiborg}@cs.auc.dk
BTW: we use this tool to monitor the connection tracking table; iptstate -
http://home.earthlink.net/~jaymzh666/iptstate/
On Mon, 22 Apr 2002, zheng wrote:
we use linux 2.4 as a firewall.the machine has 128M memory and we have
about 200 people behind the firewall. we met some problem.sometimes the
firewall costs up its resources and goes down.i checked with 'top' and
found that the memory is used up. the file /proc/net/ip_conntrack
records all the connnections,and it grows fast. i think this may be the
problem.
how to solve the problem? to increase the memory is a solution,but
that will not solve all the problem.or to get rid of ip_conntrack when
compile the kernel? but we have to use nat.
anyone have some good idea on it?thanks for help.
zheng chuanbo
