I haven't used fedora much recently. Looks it's compiled into the kernel instead of as a module with fedora, so I think you would have to do a custom kernel to disable the connection tracking. (or switch distros)
> -----Original Message----- > From: Hank A. Paulson [mailto:h...@spamproof.nospammail.net] > Sent: Thursday, September 03, 2009 2:15 PM > To: 'HAproxy Mailing Lists' > Subject: Re: nf_conntrack: table full, dropping packet. > > # lsmod > Module Size Used by > xen_netfront 19808 0 > pcspkr 2848 0 > xen_blkfront 12404 2 > > # cat /proc/net/nf_conntrack | wc -l > 50916 > > # service iptables stop > (it was never started) > > # cat /proc/net/nf_conntrack | wc -l > 65358 > > This is Fedora, sorry, not CentOS. > > the only other thing running is keepalived to manage the ip address for > haproxy. > > On 9/3/09 10:16 AM, John Lauro wrote: > > service iptables stop > > should take care of it in Centos. > > > > > > Although your lsmod doesn't make sense. It should be showing > ip_conntrack > > and ip_tables and iptable_filter with a standard Centos and iptables. > Even > > dm_multipath and others that you are not interested in would be > expected... > > > > > > > >> -----Original Message----- > >> From: Hank A. Paulson [mailto:h...@spamproof.nospammail.net] > >> Sent: Thursday, September 03, 2009 1:02 PM > >> To: HAproxy Mailing Lists > >> Subject: nf_conntrack: table full, dropping packet. > >> > >> Does anyone know how to get rid of/turn off/kill/remove/exorcise > >> netfilter > >> and/or conntrack? > >> I don't use iptables and it seems to cause a lot of overhead. > >> > >> Does it require a custom compiled kernel? > >> I am using CentOS and Fedora standard precompiled kernels right now. > >> > >> Thank you for any help in this frustrating matter. > >> > >> # lsmod | grep -i ip > >> ipv6 290320 20 > >> > >> sysctl -a | grep -i netfilter > >> net.netfilter.nf_conntrack_generic_timeout = 12 > >> net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 12 > >> net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 12 > >> net.netfilter.nf_conntrack_tcp_timeout_established = 2000 > >> net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 12 > >> net.netfilter.nf_conntrack_tcp_timeout_close_wait = 12 > >> net.netfilter.nf_conntrack_tcp_timeout_last_ack = 12 > >> net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10 > >> net.netfilter.nf_conntrack_tcp_timeout_close = 8 > >> net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 30 > >> net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 30 > >> net.netfilter.nf_conntrack_tcp_loose = 1 > >> net.netfilter.nf_conntrack_tcp_be_liberal = 0 > >> net.netfilter.nf_conntrack_tcp_max_retrans = 3 > >> net.netfilter.nf_conntrack_udp_timeout = 12 > >> net.netfilter.nf_conntrack_udp_timeout_stream = 18 > >> net.netfilter.nf_conntrack_icmp_timeout = 8 > >> net.netfilter.nf_conntrack_acct = 1 > >> net.netfilter.nf_conntrack_max = 1048576 > >> net.netfilter.nf_conntrack_count = 7645 > >> net.netfilter.nf_conntrack_buckets = 16384 > >> net.netfilter.nf_conntrack_checksum = 1 > >> net.netfilter.nf_conntrack_log_invalid = 0 > >> net.netfilter.nf_conntrack_expect_max = 256 > >> > >> > >> > >> No virus found in this incoming message. > >> Checked by AVG - www.avg.com > >> Version: 8.5.409 / Virus Database: 270.13.73/2338 - Release Date: > >> 09/03/09 05:50:00 > > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.409 / Virus Database: 270.13.73/2338 - Release Date: > 09/03/09 05:50:00
