LARTC - Sep 2003 - Connection Tracking - How Many???

How many connections can be tracked with:

512 megabytes of RAM?
1 gigabyte of RAM?

I know there is a limit. I read it somewhere about eight months ago in some
obscure location.

Thanks in advance.
Walt
**********************************************************************************************
* This message has been scanned by CityNET''s email scanner for viruses
and dangerous content *
* and is believed to be clean.  CityNET is proud to use MailScanner.  For more
information   *
* concerning MailScanner, visit http://www.mailscanner.info                     
*
**********************************************************************************************

On Wednesday 24 September 2003 04:44, Walter D. Wyndroski
wrote:
> How many connections can be tracked with:
>
> 512 megabytes of RAM?
> 1 gigabyte of RAM?
>
> I know there is a limit. I read it somewhere about eight months ago in some
> obscure location.
From the faq page on netfilter.org :

3.6 ip_conntrack: maximum limit of XXX entries exceeded 

If you notice the following message in syslog, it looks like the conntrack 
database doesn''t have enough entries for your environment. Connection 
tracking by default handles up to a certain number of simultaneous 
connections. This number is dependent on you system''s maximum memory
size (at
64MB: 4096, 128MB: 8192, ...). 

You can easily increase the number of maximal tracked connections, but be 
aware that each tracked connection eats about 350 bytes of non-swappable 
kernel memory!

To increase this limit to e.g. 8192, type:

echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max

Stef

-- 
stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.openprojects.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Sorry, I must have missed it when reading the netfilter howto. I found it later
when reading through it again: approx 32,000 connections per 512 megs of ram.

Walt
  ----- Original Message ----- 
  From: Walter D. Wyndroski 
  To: lartc@mailman.ds9a.nl 
  Sent: Tuesday, September 23, 2003 10:44 PM
  Subject: [LARTC] Connection Tracking - How Many???


  How many connections can be tracked with:

  512 megabytes of RAM?
  1 gigabyte of RAM?

  I know there is a limit. I read it somewhere about eight months ago in some
obscure location.

  Thanks in advance.
  Walt


         This message has been scanned by CityNET''s email scanner for
viruses and dangerous content
         and is believed to be clean. CityNET is proud to use MailScanner. For
more information
         concerning MailScanner, visit http://www.mailscanner.info
       

**********************************************************************************************
* This message has been scanned by CityNET''s email scanner for viruses
and dangerous content *
* and is believed to be clean.  CityNET is proud to use MailScanner.  For more
information   *
* concerning MailScanner, visit http://www.mailscanner.info                     
*
**********************************************************************************************

Thursday, September 25, 2003, 10:35:39 PM, you wrote:

WDW> Sorry, I must have missed it when reading the netfilter howto. I
WDW> found it later when reading through it again: approx 32,000 connections
WDW> per 512 megs of ram.

Wrong.
1 conntrack entry = 292 Bytes.
512*1024 = 524800 KiloBytes
524800*1024 = 537395200 Bytes

537395200 / 292  = 1840394 connections.

Of course this would simply kill the cpu.
I am doing 35000 connection trackings at the moment at
aprox. less than 80mb of ram on 266Mhz PII..


P.Krumins

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

From the documentation links on www.netfilter.org -->
http://iptables-tutorial.frozentux.net/iptables-tutorial.html

How many connections that the connection tracking table can hold depends
upon a variable that can be set through the ip-sysctl functions in recent
kernels. The default value held by this entry varies heavily depending on
how much memory you have. On 128 MB of RAM you will get 8192 possible
entries, and at 256 MB of RAM, you will get 16376 entries. You can read and
set your settings through the /proc/sys/net/ipv4/ip_conntrack_max setting.

Walt


----- Original Message ----- 
From: "Peteris Krumins" <newsgroups@lf.lv>
To: "Walter D. Wyndroski" <wdwrn@friendlycity.net>
Cc: <lartc@mailman.ds9a.nl>
Sent: Friday, September 26, 2003 1:32 PM
Subject: Re[2]: [LARTC] Connection Tracking - How Many???

> Thursday, September 25, 2003, 10:35:39 PM, you wrote:
>
> WDW> Sorry, I must have missed it when reading the netfilter howto. I
> WDW> found it later when reading through it again: approx 32,000
connections
> WDW> per 512 megs of ram.
>
> Wrong.
> 1 conntrack entry = 292 Bytes.
> 512*1024 = 524800 KiloBytes
> 524800*1024 = 537395200 Bytes
>
> 537395200 / 292  = 1840394 connections.
>
> Of course this would simply kill the cpu.
> I am doing 35000 connection trackings at the moment at
> aprox. less than 80mb of ram on 266Mhz PII..
>
>
> P.Krumins
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>
****************************************************************************
******************
> * This message has been scanned by CityNET''s email scanner for
viruses and
dangerous content *
> * and is believed to be clean.  CityNET is proud to use MailScanner.  For
more information   *
> * concerning MailScanner, visit http://www.mailscanner.info
*
>
****************************************************************************
******************
>


**********************************************************************************************
* This message has been scanned by CityNET''s email scanner for viruses
and dangerous content *
* and is believed to be clean.  CityNET is proud to use MailScanner.  For more
information   *
* concerning MailScanner, visit http://www.mailscanner.info                     
*
**********************************************************************************************

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

> >From the documentation links on www.netfilter.org -->
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> 
> How many connections that the connection tracking table can hold depends
> upon a variable that can be set through the ip-sysctl functions in recent
> kernels. The default value held by this entry varies heavily depending on
> how much memory you have. On 128 MB of RAM you will get 8192 possible
> entries, and at 256 MB of RAM, you will get 16376 entries. You can read and
> set your settings through the /proc/sys/net/ipv4/ip_conntrack_max setting.
That''s the default, you can increase that through the
/proc/sys/net/ipv4/ip_conntrack_max setting. 
Also you may need to increase the "hashsize=" parameter when loading
the
ip_conntrack module.

-- 
Damjan Georgievski
jabberID: damjan@bagra.net.mk
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/