I believe this is the error I was getting when testing ipchains under
kernel 2.4. As far as I know ipchains has never been fixed in this
regard--the answer to my query about the behavior was "yeah, connection
tracking in ipchains is broken, use iptables".
If not using ipchains on kernel 2.4.x, then you can ignore my comment.
Henrik Nordstrom wrote:
> Hmm.. how many requests/s are you serving?
>
> I suspect something is wrong here. 60K conntrack entries is a lot, but then
> it is only 100 per user so if all your users are clicking like mad then
> perhaps.. but I think you would then have some thousand requests/s to reach
> this limit.
>
> Anyway, the variable is a integer and can be set to mostly anything. It is
> not limited to 65535. But if you set it very large then you should also
> increase the conntrack hash size for better performance.. See the
> iptables/netfilter documentation or ask in a suitable netfilter user group.
>
> Regards
> Henrik
>
> Ahsan Ali wrote:
>
>>Hi guys!
>>
>>I'm getting a problem I think some of you must have run into by now - I've
>>increased
>>
>>/proc/sys/net/ipv4/ip_conntrack_max
>>
>>to 65535
>>
>>And I'm still getting conntrack exceeded errors... how do I increase it to
>>128K and beyond?
>>
>>I'm transparently redirecting some 600 concurrent dialup users.
>>
>>Thanks guys!
>>
>>-Ahsan
>
>
>
-- Joe Cooper <joe@swelltech.com> http://www.swelltech.com Web Caching Appliances and SupportReceived on Thu Apr 11 2002 - 17:40:40 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:32 MST