Forums Network Management ZeroShell ip_conntrack_tcp_timeout_established

  • This topic is empty.
Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
  • #42598

    I just want to throw this out there, since a search only revealed 1 post on the subject, which I cant help but find a bit confusing since this is a linux firewall distrobution 🙂
    I imagine it has todo with the PCs people are installing this on probably come with a fair amount of ram, shrug.

    Anyways I started out setting up my box on a 1.4ghz with 128m of ram and noticed after a couple days the memory was gone and it was using 40m of swap space, and consequently the cdrom just never stopped spinning anymore! I installed an extra 256m for 384, and still on day 1 notice my box is using almost 256m now. This is kernel memory, the userspace programs are using about 60 or so.

    The default setting for /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established is a whopping 5 days, which apparently is the linux default. Now my first thought was I needed to adjust this for my usage somehow. I figured I was filling the table up with useless junk somehow, probably from bittorrent. Ironically, looking at the ip_conntrack file shows a different story.

    root@gateway root> cat /proc/net/ip_conntrack | wc -l
    root@gateway root> cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
    root@gateway root> free
    total used free shared buffers cached
    Mem: 384360 332648 51712 0 40680 53468
    -/+ buffers/cache: 238500 145860
    Swap: 131064 0 131064
    root@gateway root> cat /proc/net/ip_conntrack | grep “dport=80” | wc -l
    root@gateway root> less /proc/net/ip_conntrack
    root@gateway root> cat /proc/net/ip_conntrack | grep “dport=22” | wc -l
    root@gateway root> cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count

    I dont know if its the normal behavior of HTTP connections to not close properly, or what. I expected if anything was going to be filling this up it was bittorrent usage, but none of that. My previous gateway I had hand setup, was a P200 with 128m of RAM, running gentoo. I dont remember specifically what I had adjusted the settings too, but it never came close to using the 128m of ram it had, or having trouble with connections.

    root@gateway root> cat /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established

    I have it set for an hour now and will see what happens, I’m unaware of whether I need to reboot now to remove the old entries without waiting the 5 days or what, but at the very least I can see if it gets much past 50,000 now.. lol. I point this out because it seems a very valid concern for a linux firewall distro, perhaps something that should be changed or made adjustable in the GUI? (If it is already my apologies!) But 50,000 lingering http entries doesnt make much sense to me. This might not be the only thing eating my RAM but it seemed like a valid concern.

    And to conclude, thank you for an awesome distro!! I’m loving zeroshell, I’ve been playing with it for a week and still discovering features. Its fantastic! Keep up the good work!



    Just some info, I discovered how I ended up with all those entries: http://forums.gentoo.org/viewtopic-t-463726.html

    I’ve actually managed to more or less force expire the conntrack count down to 10000 now (down from ~55000) and it freed about 65M of ram in the process.

    I have this in my boot script now.

    echo 3600 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
    echo 16000 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max (I know this is low but its restricted to 4096 by forces out of my control anyways)
    echo 0 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose


    I found the default of 5 days on my box to get tanked after about 1 day, the connections would hold and build up to over 200k connections, when really it was only around 30-60k when forced to one hour (cisco format) only, instead of 5 days. Here is my post boot i have:

    # Startup Script
    echo “3600” > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
    echo “1048576” > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
    echo 134217728 > /proc/sys/kernel/shmall
    echo 134217728 > /proc/sys/kernel/shmmax
    cd /Database/niagara2265_r10/;./n2265_load;./n2265_util -a;./n2265_util -0
    ethtool -K ETH02 tso on;ethtool -K ETH03 tso on

    The last command you can disregard, it is to load a driver for my bypass NIC.

    My ZS box is a HD install, dual 2.83 with 3gigs ram, the ram filled up fast in a day holding those connections open. Drop it down to an hour and you’ll be just fine. I got about 110megs/sec download x 40megs upload, average load less than 1%, and only utilizing around 153megs ram, my 3gigs is way overkill, but better safe than sorry.

Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.