找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 18116|回复: 19

解决ip_conntrack table full的方法

[复制链接]
发表于 2004-10-7 22:04:07 | 显示全部楼层 |阅读模式

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有账号?注册

×
在使用大流量下载(使用BT)后,会造成IP连接表溢出,由此会丢包。在coyote的论坛上已经有解决办法:

CODE
Try to put this line on the file /etc/rc.d/rc.local echo 8192 > /proc/sys/net/ipv4/ip_conntrack_max Then backup and reboot coyote. I翠 like to know if it works.
routeros
 楼主| 发表于 2004-10-7 22:06:00 | 显示全部楼层
意思是编辑/etc/rc.d/rc.local 这个文件,在此文件中加入一行:echo 8192 > /proc/sys/net/ipv4/ip_conntrack_max 然后保存文件,最后写入硬盘(软盘),重新启动就可以了。
routeros
回复

使用道具 举报

发表于 2004-10-7 22:54:05 | 显示全部楼层
我的服务器在 负载不大的时候为什么 DNS 速度也慢呢?  能不能研究一下?
routeros
回复

使用道具 举报

发表于 2004-10-8 01:53:47 | 显示全部楼层
楼主,这个似乎没有经过测试呢。楼上的“DNS 速度也慢”什么意思?你不必非要用你的ISP给你的DNS
routeros
回复

使用道具 举报

发表于 2004-10-9 00:56:13 | 显示全部楼层
说说原理怎么样?proc/sys/net/ipv4/ip_conntrack_max 这句好象是把conntrack的连接数目放到极限的意思不太懂
routeros
回复

使用道具 举报

发表于 2004-10-9 01:23:03 | 显示全部楼层
IPCop 需要加入这条吗?
routeros
回复

使用道具 举报

发表于 2004-10-11 20:46:40 | 显示全部楼层
如何判断是不是满了?ip_contrack文件大小不知道呀,用ls -l看起来整个目录的文件全是0字节。我有时会出这种情况,即ping时会提示,send to:operation no permission。可能文字有点出入,但意思是操作不允许。这时下面的机子会反映上网时通时断。重启就可以恢复正常。是不是就是这个问题,那又如何影响到ping的????另外,ip_conntrack_max的默认值是多少?我本来还在考虑换redhat9哩,我的redhat9从来不出问题。难道默认值不一样?看我的redhat9,[baradmin@localhost baradmin]$ uptime 20:27:22  up 103 days, 10:50,  1 user,  load average: 0.00, 0.00, 0.00
routeros
回复

使用道具 举报

发表于 2004-10-11 20:50:54 | 显示全部楼层
我已经看清了,redhat9默认的是6136,而coyote只有1024,我晕死。这1024  是代表什么?1024条记录是不?还有什么不一样的,大家评评补充,又查了下资料,原来和内存有关q我那台6136的内存是90多m,一台256的就是16376。我这台coyote只有16m,所以只分配了1024,在另一台32m上就是2048,还有一台128m的,就是8120(集成810显卡分了点内存走吧)。偏偏我这台16m的带的电脑最多,原来如此,嘿嘿,明天就改。大家说还要改什么地方????
routeros
回复

使用道具 举报

发表于 2004-10-11 22:48:24 | 显示全部楼层
晕coyote的1024 是QOS的默认值晕死~~~~~~~
routeros
回复

使用道具 举报

头像被屏蔽
发表于 2004-10-12 09:07:52 | 显示全部楼层
提示: 作者被禁止或删除 内容自动屏蔽
routeros
回复

使用道具 举报

发表于 2004-10-16 22:11:18 | 显示全部楼层
QUOTE
echo 8192 > /proc/sys/net/ipv4/ip_conntrack_max
等同于 /proc/sys/net/ipv4/ip_conntrack_max = 8192
routeros
回复

使用道具 举报

头像被屏蔽
发表于 2004-10-18 10:31:05 | 显示全部楼层
提示: 作者被禁止或删除 内容自动屏蔽
routeros
回复

使用道具 举报

发表于 2004-10-18 13:37:07 | 显示全部楼层
内存为64MB的机器上时4096,内存为128MB是 8192,内存为256MB是16376
routeros
回复

使用道具 举报

发表于 2004-10-19 10:32:30 | 显示全部楼层
cat /proc/sys/net/ipv4/ip_conntrack_max可知
routeros
回复

使用道具 举报

 楼主| 发表于 2005-1-23 15:49:42 | 显示全部楼层
QUOTE
           Netfilter conntrack performance tweaking, v0.6           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~             Hervé Eychenne This document explains some of the things you need to know for netfilterconntrack (and thus NAT) performance tuning.Latest version of this document can be found at:http://www.wallfire.org/misc/netfilter_conntrack_perf.txt------------------------------------------------------------------------------There are two parameters we can play with:- the maximum number of allowed conntrack entries, which will be called  CONNTRACK_MAX in this document- the size of the hash table storing the lists of conntrack entries, which  will be called HASHSIZE (see below for a description of the structure)CONNTRACK_MAX is the maximum number of "sessions" (connection tracking entries)that can be handled simultaneously by netfilter in kernel memory.A conntrack entry is stored in a node of a linked list, and there are severallists, each list being an element in a hash table.  So each hash table entry(also called a bucket) contains a linked list of conntrack entries.To access a conntrack entry corresponding to a packet, the kernel has to:- compute a hash value according to some defined characteristics of the packet.  This is a constant time operation.  This hash value will then be used as an index in the hash table, where a  list of conntrack entries is stored.- iterate over the linked list of conntrack entries to find the good one.  This is a more costly operation, depending on the size of the list (and on  the position of the wanted conntrack entry in the list).The hash table contains HASHSIZE linked lists.  When the limit is reached(the total number of conntrack entries being stored has reached CONNTRACK_MAX),each list will contain ideally (in the optimal case) aboutCONNTRACK_MAX/HASHSIZE entries.The hash table occupies a fixed amount of non-swappable kernel memory,whether you have any connections or not.  But the maximum number of conntrackentries determines how many conntrack entries can be stored (globally into thelinked lists), i.e. how much kernel memory they will be able to occupy at most.This document will now give you hints about how to choose optimal values forHASHSIZE and CONNTRACK_MAX, in order to get the best out of the netfilterconntracking/NAT system.Default values of CONNTRACK_MAX and HASHSIZE============================================By default, both CONNTRACK_MAX and HASHSIZE get average values for"reasonable" use, computed automatically according to the amount ofavailable RAM.Default value of CONNTRACK_MAX------------------------------On i386 architecture, CONNTRACK_MAX = RAMSIZE (in bytes) / 16384 =RAMSIZE (in MegaBytes) * 64.So for example, a 32 bits PC with 512MB of RAM can handle 512*1024^2/16384 =512*64 = 32768 simultaneous netfilter connections by default.But the real formula is:CONNTRACK_MAX = RAMSIZE (in bytes) / 16384 / (x / 32)where x is the number of bits in a pointer (for example, 32 or 64 bits)Please note that:- default CONNTRACK_MAX value will not be inferior to 128- for systems with more than 1GB of RAM, default CONNTRACK_MAX value is  limited to 65536 (but can of course be set to more manually).Default value of HASHSIZE-------------------------By default, CONNTRACK_MAX = HASHSIZE * 8.  This means that there is an averageof 8 conntrack entries per linked list (in the optimal case, and whenCONNTRACK_MAX is reached), each linked list being a hash table entry(a bucket).On i386 architecture, HASHSIZE = CONNTRACK_MAX / 8 =RAMSIZE (in bytes) / 131072 = RAMSIZE (in MegaBytes) * 8.So for example, a 32 bits PC with 512MB of RAM can store 512*1024^2/128/1024 =512*8 = 4096 buckets (linked lists)But the real formula is:HASHSIZE = CONNTRACK_MAX / 8 = RAMSIZE (in bytes) / 131072 / (x / 32)where x is the number of bits in a pointer (for example, 32 or 64 bits)Please note that:- default HASHSIZE value will not be inferior to 16- for systems with more than 1GB of RAM, default HASHSIZE value is limited  to 8192 (but can of course be set to more manually).Reading CONNTRACK_MAX and HASHSIZE==================================Current CONNTRACK_MAX value can be read at runtime, via the /proc filesystem.Before Linux kernel version 2.4.23, use:# cat /proc/sys/net/ipv4/ip_conntrack_maxAs of Linux kernel version 2.4.23, use:# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max  (old /proc/sys/net/ipv4/ip_conntrack_max is then deprecated!)Current HASHSIZE is always available (for every kernel version) in syslogmessages, as the number of buckets (which is HASHSIZE) is printed there atip_conntrack initialization.As of Linux kernel version 2.4.24, current HASHSIZE value can be read atruntime with:# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_bucketsModifying CONNTRACK_MAX and HASHSIZE====================================Default CONNTRACK_MAX and HASHSIZE values are reasonable for a typical host,but you may increase them on high-loaded firewalling-only systems.So CONNTRACK_MAX and HASHSIZE values can be changed manually if needed.While accessing a bucket is a constant time operation (hence the interestof having a hash of lists), keep in mind that the kernel has to iterate overa linked list to find a conntrack entry.  So the average size of a linkedlist (CONNTRACK_MAX/HASHSIZE in the optimal case when the limit is reached)must not be too big.  This ratio is set to 8 by default (when values arecomputed automatically).On systems with enough memory and where performance really matters, you canreally consider trying to get an average of one conntrack entry by hash bucket,that means HASHSIZE = CONNTRACK_MAX.Setting CONNTRACK_MAX---------------------Conntrack entries are stored in linked lists, so the maximum number ofconntrack entries (CONNTRACK_MAX) can be easily configured dynamically.Before Linux kernel version 2.4.23, use:# echo $CONNTRACK_MAX > /proc/sys/net/ipv4/ip_conntrack_maxAs of Linux kernel version 2.4.23, use:# echo $CONNTRACK_MAX > /proc/sys/net/ipv4/netfilter/ip_conntrack_maxwhere $CONNTRACK_MAX is an integer.Setting HASHSIZE----------------For mathematical reasons, hash tables have static sizes.  So HASHSIZE must bedetermined before the hash table is created and begins to be filled.Before Linux kernel version 2.4.21, a prime number should be choosed for hashsize, ensuring that the hash table will be efficiently populated. Oddnon-prime numbers or even numbers are strongly discouraged, as the hashdistribution will be sub-optimal.Since Linux kernel version 2.4.21 (and for 2.6 kernel as well), conntrackuses jenkins2b hash algorithm which is happy with all sizes, but powerof 2 works best.If netfilter conntrack is statically compiled in the kernel, the hash tablesize can be set at compile time, or (since kernel 2.6) as a boot option withip_conntrack.hashsize=$HASHSIZEIf netfilter conntrack is compiled as a module, the hash table size can beset at module insertion, with the following command:# modprobe ip_conntrack hashsize=$HASHSIZEwhere $HASHSIZE is an integer.Ideal case: firewalling-only machine------------------------------------In the ideal case, you have a machine _just_ doing packet filtering and NAT(i.e. almost no userspace running, at least none that would have a growingmemory consumption like proxies, ...).The size of kernel memory used by netfilter connection tracking is:size_of_mem_used_by_conntrack (in bytes) =        CONNTRACK_MAX * sizeof(struct ip_conntrack) +        HASHSIZE * sizeof(struct list_head)where:- sizeof(struct ip_conntrack) can vary quite much, depending on architecture,  kernel version and compile-time configuration. To know its size, see the  kernel log message at ip_conntrack initialization time.  sizeof(struct ip_conntrack) is around 300 bytes on i386 for 2.6.5, but  heavy development around 2.6.10 make it vary between 352 and 192 bytes!- sizeof(struct list_head) = 2 * size_of_a_pointer  On i386, size_of_a_pointer is 4 bytes.So, on i386, kernel 2.6.5, size_of_mem_used_by_conntrack is aroundCONNTRACK_MAX * 300 + HASHSIZE * 8 (bytes).If we take HASHSIZE = CONNTRACK_MAX (if we have most of the memory dedicatedto firewalling, see "Modifying CONNTRACK_MAX and HASHSIZE" section above),size_of_mem_used_by_conntrack would be around CONNTRACK_MAX * 308 byteson i386 systems, kernel 2.6.5.Now suppose you put 512MB of RAM (a decent amount of memory considering today'smemory prices) into the firewalling-only box, and use all but 128MB forconntrack, which should really be big enough for a firewall in console mode,for example.Then you could set both CONNTRACK_MAX and HASHSIZE approximately to:(512 - 128) * 1024^2 / 308 =~ 1307315 (instead of 32768 for CONNTRACK_MAX,and 4096 for HASHSIZE by default).As of Linux 2.4.21 (and Linux 2.6), hash algorithm is happy with"power of 2" sizes (it used to be a prime number before).So here we can set CONNTRACK_MAX and HASHSIZE to 1048576 (2^20), for example.This way, you can store about 32 times more conntrack entries than thedefault, and get better performance for conntrack entry access.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Last changes on Jan 20, 2005Revision history:0.6 Hashsize parameter can be set at boot time with Linux 2.6.  Thanks to    Tobias Diedrich for pointing this out.0.5 Added further notice about the varying length of the conntrack structure.0.4 Since Linux 2.4.21, hash algorithm is happy with all sizes, not only    prime ones.  However, power of 2 is best.0.3 Various small precisions.0.2 Information about Linux kernel versions and corresponding /proc entries.    (/proc/sys/net/ipv4/netfilter/ip_conntrack_{max,buckets}).0.1 Initial writing, largely based on my discussions with Harald Welte    (netfilter maintainer) on the netfilter-devel mailing-list.  Many thanks    to him!
routeros
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|Archiver|手机版|小黑屋|软路由 ( 渝ICP备15001194号-1|渝公网安备 50011602500124号 )

GMT+8, 2024-12-23 15:22 , Processed in 0.108641 second(s), 4 queries , Gzip On, Redis On.

Powered by Discuz! X3.5 Licensed

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表