Not sure if this is the 'definitivish' you're looking for or most correct answer but its what I do for various cases where the overhead of conntrack is not desired due to high volume. Not specific to port 80 and I find it useful for various other ports whether or not they are handled via HAProxy.
## Disable conntrack on port 80 in both directions iptables -t raw -I OUTPUT -p tcp -m tcp --dport 80 -j NOTRACK iptables -t raw -I OUTPUT -p tcp -m tcp --sport 80 -j NOTRACK iptables -t raw -I PREROUTING -p tcp -m tcp --dport 80 -j NOTRACK iptables -t raw -I PREROUTING -p tcp -m tcp --sport 80 -j NOTRACK ## And actually allow it through if not already allowed via more relaxed rules iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -I INPUT -p tcp -m tcp --sport 80 -j ACCEPT iptables -I OUTPUT -p tcp --sport 80 -j ACCEPT On Thu, May 7, 2015 at 8:11 AM, Neil - HAProxy List < [email protected]> wrote: > Hello > > I'm after a 'definitivish' reference for setting up conntrack > > I've been hit by having too small table on some new VMs as ubuntu, by > default, sizes the table by memory size. > > Before that I was completely ignorant of the role of conntrack > > Having forced the size got rid off that but leaves me thinking I need to > understand this better and do I want to track incoming http connections at > all. Do I just want to conntrack http connections to backends? > > Googling has provided some answers but mainly more questions and it hard > to tell what to follow. > > Anyone got a good link? Something for the haproxy site/manuals to mention? > > Thanks, > > Neil >
