İlker Aktuna (Koç.net) wrote: > Hi, > > I've been observing my ip_conntrack_count for a while. > It never reaches the upper limit defined as 16384 in > /proc/sys/net/ipv4/netfilter/ip_conntrack_max > The problem occurs when it is around 400-500. > > So this does not seem to be related to conntrack table being filled up. > But it is resolving with "conntrack -F" command. > Very interesting. What else can I do to understand the nature of this > problem ?
My only suggestion is that if you are loading the SIP helpers (which Shorewall does by default), then try NOT loading them. Others have reported problems with the modules but those problems usally consist of one-way audio. The modules are named nf_conntrack_sip and nf_nat_sip in current kernels; they were called ip_conntrack_nat and ip_nat_sip in earlier versions. See the DONT_LOAD option in shorewall.conf. > > Below you are referring to CONNLIMIT. I didn't define anything like that but > where it is being defined ? Maybe it is defined by default. No. > > I am desperately looking for help. This issue is really very disturbing. I'm afraid that you are looking for help in the wrong place -- you need to be talking to the Netfilter developers on the netfilter-devel mailing list. -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
