i just got a ''ip_conntrack: table full, dropping packet'' because a p2p-application ran amok. i''ve killed the process but /proc/net/ip_conntrack still got more than 7000 (now stale) entries of 8184 max. since the table is now after ~70 minutes down to 6995 entries, i wonder if i can flush this table manually. the entries in there look like tcp 6 155674 ESTABLISHED src=x.x.x.x dst=y.y.y.y sport=1234 dport=5678 src=y.y.y.y dst=x.x.x.x sport=5678 dport=1234 [ASSURED] use=1 and if i get ip_conntrack_proto_tcp.c right, the default timeout for ESTABLISHED is 5 days. but i dont want to wait that long :( Patrick _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Friday, 21 February 2003, at 15:52:55 +0100, Patrick Nagelschmidt wrote:> and if i get ip_conntrack_proto_tcp.c right, the default timeout for > ESTABLISHED is 5 days. but i dont want to wait that long :( >You are right, some people change this default value in the sources and recompile because they think this 5-day period is way too high. The only way I know to flush the connection tracking information is to unload ip_conntrack, and all the modules that depend on it. Hope it helps. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Sid (Linux 2.4.20-xfsip) _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Possibly Parallel Threads
- [Bug 511] New: Premature ip_conntrack timer expiry on 3+ window size advertisements
- ip_conntrack limit --- torrent , DC++ , eMule
- [SECURITY] Netfilter Security Advisory: Conntrack list_del() DoS
- [Bug 64] Conntrack-Table is not cleared on inferface down using target MASQUERADE
- [Bug 39] New: can't execute 'make modules'