- The default sizes for ip_conntrack_max and hashsize (the number of seperate connections that can be tracked, and the size of the hash table that keeps track of them, repsectively) defaults to a percentage of your total memory size. This percentage is geared towards a 'general use' workstation with lots more memory (and fewer connections to track) than a typical special-purpose firewall box.
- The hash table works much better when it's size is a prime number.
Details can be found in the following document: http://www.wallfire.org/misc/netfilter_conntrack_perf.txt
Note that you can increase ip_conntrack_max at runtime, but the hash table size can only be adjusted when loading the ip_conntrack module (or at compile time, if compiled into the kernel).
A handy table of prime numbers good for hash table sizes can be found at PlanetMath:
http://planetmath.org/encyclopedia/GoodHashTablePrimes.html
-- Charles Steinkuehler [EMAIL PROTECTED]
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
