Hi, We have a theory about the cause of your problem; when a connection is established thorugh your firewall an entry is created in a table that track these connections. As you already know these connections can be seen by reading the file /proc/net/ip_conntrack. The entries in this table are removed 2 minutes _after_ the (TCP) connection is terminated. The reason that the entry is not removed immediatly is that TCP keep the socket open for a while after the connection is closed, to answer retransmitted FIN packets. If the traffic that goes through the firewall consist of many short connections (e.g. web traffic), the table that track the connections may be filled with entries for which the actual connection is already closed. You can check this by looking for connections that have the label "TIME_WAIT" when you cat/grep ip_conntrack.
Connection tracking in netfilter allows 8192 connections with 128M memory (calculations based on comments in ip_conntrack_core.c). Check your kernel log for a line like "ip_conntrack (1024 buckets, 8192 max), the max is the max number of connections allowed. You should also check your kernel log for lines stating "Can't allocate conntrack." or "ip_conntrack: table full, dropping packet." which indicate a problem with memory or the max limit. On April 9th we posted a patch to netfilter/iptables that can be used to specify how long an entry in the connection tracking table should remain in the table after the actual connection is terminated. See: http://lists.samba.org/pipermail/netfilter-devel/2002-April/004076.html for the patch and a description of it. There must be others who use netfilter in a production environment like yours. Anyone on netfilter-devel have experiences with this high connection load? or does anyone have another solution to this problem? Maybe you could just recompile with a higher limit. If you use our patch we would be very interested in hearing about your experiences (or any bugs) or any other solutions you may find. Regards, Mikkel, Torben, Carsten {mrb,mariachi,stiborg}@cs.auc.dk BTW: we use this tool to monitor the connection tracking table; iptstate - http://home.earthlink.net/~jaymzh666/iptstate/ On Mon, 22 Apr 2002, zheng wrote: > we use linux 2.4 as a firewall.the machine has 128M memory and we have > about 200 people behind the firewall. we met some problem.sometimes the > firewall costs up its resources and goes down.i checked with 'top' and > found that the memory is used up. the file /proc/net/ip_conntrack > records all the connnections,and it grows fast. i think this may be the > problem. > how to solve the problem? to increase the memory is a solution,but > that will not solve all the problem.or to get rid of ip_conntrack when > compile the kernel? but we have to use nat. > anyone have some good idea on it?thanks for help. > > zheng chuanbo > >
