Full Nat on Linux with many connections

Using Linux ip_conntrack in an environment with many users/connections always check your syslog. Problem arose that the connection tracking table was too small. Quoted from netfilter FAQ:

3.7 ip_conntrack: maximum limit of XXX entries exceeded

If you notice the following message in syslog, it looks like the conntrack database doesn't have enough entries for your environment. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system's maximum memory size (at 64MB: 4096, 128MB: 8192, ...).

You can easily increase the number of maximal tracked connections, but be aware that each tracked connection eats about 350 bytes of non-swappable kernel memory!

To increase this limit to e.g. 8192, type:

echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max

To optimize performance, please also raise the number of hash buckets by using the hashsize module loadtime parameter of the ip_conntrack.o module. Please note that due to the nature of the current hashing algorithm, an even hash bucket count (and esp. values of the power of two) are a bad choice.

Example (with 1023 buckets):

modprobe ip_conntrack hashsize=1023

Note: the conntrack table gets congested by connections between other computers when the lan interface is in promiscuous mode (e.g. in a bridged configuration). Apply a filter.

Comments: Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?