Increasing ip_conntrack_max

[Jeff]

Ben Tyler wrote:

>I've been looking for information regarding increasing
>the value of "/proc/sys/net/ipv4/ip_conntrack_max" on
>my RHEL3 box running iptables/ip_masq.  Any pointers
>would be greatly appreciated.
>
>I see about 200 lines of "kernel: ip_conntrack: table
>full, dropping packet." in /var/log/messages each day.
>
>The machine has 1GB of ram and performs no other
>functions.  It's current memory usage (less
>buffers/cache) is about 150MB.
>
>The current value of ip_conntrack_max which was set by
>the RHEL installer is 65016.  Can I increase this
>value?  If so how much?
>
>Is there a better way to monitor the current number of
>connections being tracked then `cat
>/proc/net/ip_conntrack | wc -l` which takes about 30
>seconds with this many connections.
>
>Are there any other parameters I can increase to help
>the performance of a system that only does ip_masq?
>
>Thanks,
>Ben
>
>
>  
>
I had similar problems on my home firewall box running RH9. It was a 
realy old, low spec PC (P266, 256MB RAM i think). I just kept increasing 
the ip_conntrack_max value until I stopped seeing entries in the logs. 
Not an exact figure but I probably increased the value by 1000 times its 
default setting with no adverse affects - I just kept adding another 
zero to the current setting until i stopped seeing errors ;). I wouldnt 
recommend doing this on a production server but if its a home system or 
a non-important box then it may be worth a try. Once you have a good 
value make sure you create an init script so the setting is changed on 
every reboot.

FYI, to increase the value just `echo new_value > 
/proc/sys/net/ipv4/ip_conntrack_max`  Its not kept in a config file 
anywhere, the kernel sets it on boot depending on your amount of RAM.

If the box is doing nothing else then you should be able to increase the 
value significantly - the gurus should be able to give a better idea 
whats a 'safe' value.


Hope this helps
Jeff