[tproxy] Conntrack entries not decreasing
KOVACS Krisztian
hidden at balabit.hu
Tue Jun 21 11:02:54 CEST 2005
Hi,
2005-06-21, k keltezéssel 11.35-kor Mohammed Riyaz ezt írta:
> > Yes, this is probably a bug in tproxy. Could you post the contents of
> > the /proc/net/tproxy file?
>
> The server crashed yesterday once more in the evening. This time we have
> been monitoring the server and the logs clearly show the increase in
> conntrack entries.
Do you have any patches applied on 2.6.10 apart from tproxy? Vanilla
2.6.10 had a TCP connection tracking bug which caused some TCP
connections linger in the conntrack table for way too much time. Please
take a look at the original tproxy for 2.6.10 announcement in the
mailing list archives:
https://lists.balabit.hu/pipermail/tproxy/2005-February/000171.html
The netfilter-devel post with the patch was:
https://lists.netfilter.org/pipermail/netfilter-devel/2004-December/017908.html
> The box has 512MB ram and the max conntrack value is set to 32000
Although this value depends on your traffic pattern, I'd say 32000 is
a bit too low for a dedicated squid proxy. With 512MB RAM you could
safely set that to a higher value (64k for example).
> This is the contents of the /proc/net/tproxy taken today morning.
Nothing suspicious here, so I'd wait for your experience with the
2.6.10 TCP conntrack patch.
--
Regards,
Krisztian Kovacs
More information about the tproxy
mailing list