[Wonderful] the way to handle ip_conntrack full on a NAT machine

Original paste: http://www.chinaunix.net/jh/4/367999.html

[Wonderful] in the NAT machine to deal with Ip_conntrack full Method (original)Http://www.chinaunix.net Author: Cgweb posted on: 2005-01-17 08:29:31 "comment" "View original" "Linux discussion area" Close

Processing method of Conntrack table full The proxy server that was configured in the previous iptables+squid has been working properly. I found it on the control desk today. June 12:43:36 Red-hat kernel:ip_conntrack:table full, dropping packet. June 12:49:51 Red-hat kernel:ip_conntrack:table full, dropping packet. June 12:50:57 Red-hat kernel:ip_conntrack:table full, dropping packet. June 12:57:38 Red-hat kernel:ip_conntrack:table full, dropping packet. Ip_conntrack represents the Connection Tracking database (Conntrack db), which represents the number of connections tracked by the NAT machine, and how many records the connection tracking table can hold is controlled by a variable that can be set by the IP-SYSCTL function in the kernel. Each trace connection table consumes 350 bytes of kernel storage space, which fills the default space for a long time, and how much the default space is. I take redhat as an example in the memory 64MB machine 4096, the memory is 128MB is 8192, memory is 256MB is 16376, then can in/proc/sys/net/ipv4/ip_conntrack_max view, set. For example: increase to 81920, you can use the following command: echo "81920" >; /proc/sys/net/ipv4/ip_conntrack_max That setting is not saved, and you can add it in/etc/sysctl.conf after you reboot: Net.ipv4.ip_conntract_max =81920 This method changes after all normal, if in full can increase its value. Pdiunix back to: 2004-07-16 11:56:07 Write well, support original. llzqq back to: 2004-07-16 12:43:37 It's been added to the word and answer. the wind of the walk back to: 2004-07-16 15:43:25 This has long been known, this solution is only a blocking method, there is no way to transport ah. is to automatically overwrite the previous content after it is exceeded. Just increasing the number of tables is not the ultimate solution. Even if you set the big, he will eventually be full. There's no way I'm going to set up the company (the company probably has nearly 1k of computers) is restarted once every 1 months server, depressed. q1208c back to: 2004-07-16 15:56:26 Ask the "Wind" brother upstairs, it will not empty itself. All the way down. q1208c back to: 2004-07-16 16:06:58 Just looked at me, the list of items will be less. When a connection is finished, it is deleted from the table. coco520 back to: 2004-07-19 16:48:10 The TCP connection inside the default timeout time to 5 days, for the main data to make the HTTP protocol too long, you can make it shorter, I now adjust to 5 minutes, temporarily no problem. ：） test_tmp back to: 2004-07-20 08:58:44 Ask the upstairs, how to adjust into 5 minutes ah. Thank you. Nozxb back to: 2004-07-20 09:20:53 :) Saman back to: 2004-07-22 16:46:39 Reference: The original post by "Test_tmp"] quietly ask upstairs, how to tune into 5 minutes ah. Thank you. Published: Need to recompile the kernel, the specific method of online check it, a long time ago done, forget. Personally think the best way is to increase the memory, 1G enough. Once in a while, reboot again. the wind of the walk back to: 2004-07-25 12:41:01 Reference: The original post is published by "Saman": Need to recompile the kernel, the specific method of online check it, a long time ago done, forget. Personally think the best way is to increase the memory, 1G enough. Once in a while, reboot again. Can you give me a hint? Huter back to: 2004-09-14 09:37:56 Upgrading the kernel prevents Ip_conntrack from being full, and 96M of memory on my NAT does not need to be restarted. Double eyelid pig back to: 2005-01-06 09:35:17 Not your NAT. How much memory does not need to reboot, the number of connections to trace, 32m also do not need to reboot ... As for the solution, it is recommended to read the first reading Tcpip detailed, the landlord of this solution can be slow, can not really have effect ... As for how to do, modify some of the parameters under/proc/sys/net/ipv4/... Do not allow the connection to survive too long, because many are just HTTP, short connection to the response to close the connection, but Ip_conntrack still need to save ... Do not need to recompile the kernel, generally just in the/proc/sys/net/ipv4 inside these parameters to fine-tune the line ... But restarting doesn't work. Hope that after the start also effective, add to the/etc/sysctl.conf to change ... Skylove back to: 2005-01-16 23:54:28 The gateway timed to help the user to help release the connection is ... Oh, hehe. hping command, who and the contend, to Linuxforum see it, where the owner wrote a method, I have used n months ... Platinum back to: 2005-01-17 08:16:46 Download hping: Http://www.hping.org/download.html ./configure Make Make install Write a script after installation: Code: #!/bin/bash Echo echo "############################" echo "# Edit by Youngh 2003.06.24 v1.1" echo "# Usage:clr_conns IPAddress" echo "# This'll clear all connections from this ip_address" echo "# Example:/root/clr_conns 10.0.3.3" echo "############################" Echo If [-Z $]; Then Exit Fi Grep-e "^tcp. {10,25} Established src=$1 "/proc/net/ip_conntrack | while read line; Todo S_ip= ' echo $line | awk ' {print substr ($5,5)} ' S_sock= ' echo $line | awk ' {print substr ($7,7)} ' D_ip= ' echo $line | awk ' {print substr ($6,5)} ' D_sock= ' echo $line | awk ' {print substr ($8,7)} ' echo "$S _ip: $S _sock $D _ip: $D _sock" Hping2 $D _ip-r-S $S _sock-p $D _sock-a $S _ip-k-C 1 >;/dev/null 2>;/dev/null & Done Save As Clr_conns.sh Use: SH clr_conns.sh x.x.x.x You can clear the displayed connection. Excerpt from: China Linux Forum Xuhehao back to: 2005-01-17 08:29:31 Reference: The original post is published by "Cgweb": That setting is not saved, and you can add it in/etc/sysctl.conf after you reboot: Net.ipv4.ip_conntract_max =81920 This method changes after all normal, if in full can increase its value. Net.ipv4.ip_conntract_max =81920 Is this the grammar? Still is Net.ipv4.ip_conntrack_max =81920:shock:

Original link: http://linux.chinaunix.net/bbs/viewthread.php?tid=367999 Reprint please indicate the author name and original source