[an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive]
 
[an error occurred while processing this directive] [an error occurred while processing this directive]
Skåne Sjælland Linux User Group - http://www.sslug.dk Home   Subscribe   Mail Archive   Forum   Calendar   Search
MhonArc Date: [Date Prev] [Date Index] [Date Next]   Thread: [Date Prev] [Thread Index] [Date Next]   MhonArc
 

NAT timeout (ip_conntrack)



Hejsa,

Vi sidder og fedter rundt med nogle Linux NAT boxe (Debian 2.4.18) med MANGE og ret heftige brugere bag.

Netadgangen stagnerer i perioder - vi har lokaliseret en del af problemerne til mange-mange-mange entries pr. bruger i /proc/net/ip_conntrack (op til 7-8.000 for enkelte brugere). Der er typisk tale om fil-delere med små ækle programmer der i vildskab allokerer NAT entries.

Det første der slår os er at ESTABLISHED har en timeout på 5 DAGE
(/usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c):

static unsigned long tcp_timeouts[]
= { 30 MINS,    /*      TCP_CONNTRACK_NONE,     */
   5 DAYS,     /*      TCP_CONNTRACK_ESTABLISHED,      */
   2 MINS,     /*      TCP_CONNTRACK_SYN_SENT, */
   60 SECS,    /*      TCP_CONNTRACK_SYN_RECV, */
   2 MINS,     /*      TCP_CONNTRACK_FIN_WAIT, */
   2 MINS,     /*      TCP_CONNTRACK_TIME_WAIT,        */
   10 SECS,    /*      TCP_CONNTRACK_CLOSE,    */
   60 SECS,    /*      TCP_CONNTRACK_CLOSE_WAIT,       */
   30 SECS,    /*      TCP_CONNTRACK_LAST_ACK, */
   2 MINS,     /*      TCP_CONNTRACK_LISTEN,   */
};

Er der nogen speciel grund til dette? Det virker vildt overdrevet!

pe iptables.org ligger en patch "iplimit" der skulle kunne hjælpe med disse obskuriteter - er der nogen der har erfaring med denne?

Er der nogen der kender "den rigtige" (tm) løsning på at begrfnse disse NAT uartigheder?

På forhånd tak

/Niels




 
Home   Subscribe   Mail Archive   Index   Calendar   Search

 
 
Questions about the web-pages to <www_admin>. Last modified 2005-08-10, 22:42 CEST [an error occurred while processing this directive]
This page is maintained by [an error occurred while processing this directive]MHonArc [an error occurred while processing this directive] # [an error occurred while processing this directive] *