I understand the concern. But just a quick question: how many percent of the TCP sessions of these 2300 nodes and 40000 users would end up in a dead TCP_CONNTRACK_ESTABLISHED state, ie, dead sessions with no FIN or RST packet detected? And what would an acceptable timeout be for these scenarios? If you know these answers then you could tweak the code to meet your goals.
Ramin On Fri, Jun 21, 2002 at 09:54:11AM -0500, Preston Wade wrote: > Hello All, > > I am curious to get other peoples thoughts about the 5 Day timeout for the > following variable: TCP_CONNTRACK_ESTABLISHED. This value seems high for > high traffic firewalls. For instance if I wanted to use netfilter for a > firewall between my corporate network and my WAN, which has roughly 2300 > nodes and 40000 users. It seems to me like you would run out of STATE > memory and with most connection being TCP it would take 5 days before most > of them would timeout. I realize I could modify the value and recompile... > although it would be nice to be able to modify these with sysctl.conf or via > the /proc filesystem. > > Thanks, > Preston >
