On 4 May 2005, at 18:22, Brian Grossman wrote:
On Wed, 4 May 2005 16:22:53 -0400 Matt Sergeant <[EMAIL PROTECTED]> wrote:
I'd love to hear of a larger scale rollout of high_perf. We've been pretty happy with it so far (except for ip_conntrack tables filling up - if anyone knows why that is - I suspect it's to do with Danga::DNS - please let me know).
On what scale are you using high_perf?
Spamtrap. About 2-4 million mails/day.
Is Danga::DNS::Resolver talking to your nameserver, or is it doing the lookups itself? Is there an ip_conntrack running between ::Resolver and your nameserver?
Yes it talks to the local nameserver. There shouldn't be conntrack running between qpsmtpd and dnscache, but I don't know. It's using the gShield firewall scripts, so it's rather over complex. Someone is working on simplifying it for me.
In terms of mitigation:
What's your /proc/sys/net/ipv4/ip_conntrack_max set to?
It's now set to 4 million. As is the hash size :-)
You could send DNS to the -t raw -j NOTRACK target.
Might be an easy fix.
