Jean-Michel Hemstedt said: > In my opinion, a first step should be to reconsider timeout values but > also timer mechanisms.
I've been following this thread with interest as I recently also had conntrack related problems (failing to establish new connections due to the table being full). My machine is resource contrained (28M RAM) as its only an ADSL gateway yet when I count the number of connections its tracking it varies between 300->600 connections which bare little relation to what it should be. I excacerbate the problem by running gtk-gnutella which entertains a lot of short lived incomming connections that get closed by the application but still create long-lived conntrack entries. >> I'm against in changing the *default* timeout values, except when it >> is based on real-life, well established cases. > > What sounds the most significant: 'TCP timeouts' or 'application > timeouts'? Should (i.e) HTTP, FTP and Telnet have the same lifetime in > hash? Maybe a iptables marking approach (a-la tc)? Alex www.bennee.com/~alex/