NetFilter Introduction
The NetFilter in the Linux kernel is a powerful state-based firewall with connection tracking (Conntrack) implementations. Conntrack is the core of NetFilter, and many of the enhanced features, such as address translation (NAT), content-based business identification (L7, layer-7 module) are based on connection tracking.
The Nf_conntrack module was introduced in Kernel 2.6.15 (released in 2006-01-03) to support IPv4 and IPv6, instead of IPv4-only ip_connktrack, to track the status of the connection for use by other modules.
Main parameter Introduction
# hash Table size (read-only) (64-bit system, 8G memory default 65536,16g doubled, and so on) net.netfilter.nf_conntrack_buckets # maximum number of trace connections, default Nf_conntrack_buckets * 4 Net.netfilter.nf_conntrack_maxnet.nf_conntrack_max
- Note: Tracked connections are stored in a hash table, with 1 linked lists in each bucket (buckets), with a default length of 4KB
- Note: NetFilter hash table is stored in kernel space, this part of memory cannot swap
- Note: Hash table size 64-bit maximum number of connections/8 32 Maximum Connections/4
- Note: The 32-bit system has a tracking chance of about 300 bytes.
- Note: Under 64-bit, when Conntrack_max is 1048576,hashsize 262144, it accounts for up to 350 MB
Status View
1. find: Buckets hash table size, max maximum chance number of connections
# NetFilter the bucket and Max configuration when the module is loaded:sudo dmesg | grep conntrack
[6010550.921211] nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
Results
2. Lookup: Hash Table usage
# The first 4 numbers are: Current number of active objects, total number of objects available, size of each object (bytes), pagination with at least 1 active objects grep conntrack/proc/slabinfo
NF_CONNTRACK_FFFFFFFF81AD9D40 865 918 4:tunables 0 0 0:slabdata 0
Results
3. Find: The number of connections currently being tracked
/proc/net/nf_conntrack | Wc-l
4. Track Connection Details
Cat/proc/net/nf_conntrack
IPv4 2 TCP 6 2 CLOSE src=100.116.203.128 dst=172.16.105.212 sport=62226 dport=8080 src=172.16.105.212 dst= 100.116.203.128 sport=8080 dport=62226 [assured] mark=0 zone=0 use=2------------------------------------------------ ------# record format # Network Layer protocol name, Network layer protocol number, Transport layer protocol name, Transport layer protocol number, number of seconds left before record expires, connection status (not all protocols are available)-------- ----------------------------------------------# is followed by key=value or flag format, with up to 2 keys of the same name (such as SRC and DST) in 1 rows. The 1th occurrence comes from the request, and the 2nd appears from the response ------------------------------------------------------
Result Description
Connection Tracking Tuning
- Calculation formula
- Conntrack_max (maximum chance number of connections) = number of memory *1024*1024*1024/16384/2 = * * *
- Buckets (hash table size) = CONNTRACK_MAX/4 = * * * (byte bytes)
- Tracking number take up maximum memory size = Conntrack_max * (byte bytes) = * * * (byte bytes)
Note: If you can not turn off the firewall, the basic idea is to adjust the nf_conntrack_buckets and Nf_conntrack_max, adjust the small time-out period.
Note: In addition to the associated parameters, try to change one at a time, write down the default value, the effect is not obvious or worse to restore.
1. hash table bucket Size tuning
Note: Net.netfilter.nf_conntrack_buckets cannot be changed directly (error)
# Temporary effect echo 262144 >/sys/module/nf_conntrack/parameters/hashsize
------------------------------------------------------
# Restart permanently in effect new file:/etc/modprobe.d/
2, the maximum number of tracking connections modified tuning
# temporary effect sudo sysctl-w net.netfilter.nf_conntrack_max=1048576-W net.nf_conntrack_max=1048576-------- ----------------------------------------------# Permanent Entry #net.netfilter.nf_ conntrack_max=1048576Net.nf_conntrack_max=1048576# If you want to apply settings in the configuration file right away:sudo sysctl-p/etc/ Sysctl.conf
3. Response Time Tuning
#temporary entry into force#the last 1 states of the active party. Default 120 secondssudo sysctl-w net.netfilter.nf_conntrack_tcp_timeout_fin_wait=30sudo sysctl-W net.netfilter.nf_conntrack_tcp_timeout_time_wait=30#close_wait is the passive side receives the fin ack, then goes to the Last_ack fin, unless the program is written with a problem, normally this state of the duration is very short. #默认 60 Secondssudo sysctl-w net.netfilter.nf_conntrack_tcp_timeout_close_wait=15#theoretically not so long, not less than net.ipv4.tcp_keepalive_time on the line. Default 432,000 seconds (5 days)sudo sysctl-w net.netfilter.nf_conntrack_tcp_timeout_established=300-------------------------------------------- ---------#Permanent Effect#modifying kernel configuration files (/etc/sysctl.conf)Net.netfilter.nf_conntrack_tcp_timeout_fin_wait=30net.netfilter.nf_conntrack_tcp_timeout_time_wait=30net.netfilter.nf_conntrack_tcp_timeout_close_wait=15net.netfilter.nf_conntrack_tcp_timeout_established=300#if you want to apply the settings in the configuration file right away:sudo sysctl-p/etc/sysctl.conf
Disabling the connection tracking module
Note: As long as the iptables and the state module are used, it is not appropriate to turn off netfilter, otherwise these rules will be invalidated.
# examples of conditions # turning off the netfilter will not get the status, causing each request to be checked from beginning to end, affecting performance: # For example, this default rule (usually written in 1th or very forward position):-A input-m State--state established,related-j ACCEPT
Disable step
1, finishing confirm that the module will not affect the function after closing
#1#Find related Modulessudo lsmod | Egrep"Ip_table|iptable|nat|conntrack"#2#kill the rules with-t NAT,-M state#or delete the corresponding content in/etc/sysconfig/iptables#View Iptables Rulessudo iptables-Save#3#Edit iptables configuration file#Locate the Iptables_modules and delete the module (if any) related to Conntrack.sudo vim/etc/sysconfig/iptables-Config#4#Stop Iptables .#Centos 6sudo service iptables stop#Centos 7sudo systemctl stop iptables
2, remove the relevant modules
sudo rmmod iptable_natsudo rmmod ip6table_natsudo rmmod nf_defrag_ipv4sudo rmmod Nf_defrag_ipv6 # Remove related modules sudo rmmod nf_natsudo rmmod nf_nat_ipv4sudo rmmod nf_nat_ipv6sudo rmmod nf_conntracksudo rmmod Nf_conntrack_ipv4sudo Rmmod nf_conntrack_ipv6sudo rmmod xt_conntrack--------------------------#sudo modprobe Iptable_natsudo modprobe ip6table_natsudo modprobe nf_defrag_ipv4sudo modprobe nf_defrag_ipv6sudo modprobe Nf_natsudo Modprobe nf_nat_ipv4sudo modprobe nf_nat_ipv6sudo modprobe nf_conntracksudo modprobe nf_conntrack_ipv4sudo modprobe nf_ Conntrack_ipv6sudo modprobe Xt_conntrack
Linux Tracking Connection NetFilter tuning