On 06/12/16 15:00, Miroslav Lichvar wrote: > On Tue, Dec 06, 2016 at 10:06:27AM +1000, Paul Gear wrote: >> If you need conntrack for other purposes, you can exclude NTP from it >> with something like: >> >> iptables -t raw -I PREROUTING -j NOTRACK -p udp --dport 123 > > A similar rule should be in the OUTPUT chain, so responses don't > create connections. On newer kernels it looks like this: > > iptables -t raw -I OUTPUT -p udp --sport 123 -j CT --notrack > iptables -t raw -I PREROUTING -p udp --dport 123 -j CT --notrack > > This seems to be a common problem. Maybe it should be included in the > recommendations on the pool configuration page?
For our EdgeOS routers (Vyatta/VyOS have similar configuration): set system conntrack ignore rule 10 destination port 123 set system conntrack ignore rule 10 protocol udp set system conntrack ignore rule 20 source port 123 set system conntrack ignore rule 20 protocol udp And for shorewall-conntrack(5) NOTRACK - - udp 123 NOTRACK - - udp - 123 I've filed a feature request to ignore certain flows in the switch hardware. Apparently it has a limit of 512k flows over 120 seconds, which works out to be 4266 flows/second, but looking at the graph I was getting 5000+ requests/second, so no wonder it fell over: http://leobodnar.com/LeoNTP/CCGS.php I've unfirewalled it again, it should cope fine with just Australian traffic for the time being once it re-enters the pool. Thanks, -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
