On Mon, 2009-11-30 at 14:09 -0600, Ben Rosenberg wrote:

Hello all, I am GTMFing about how much memory the ip_conntrack module is taking in order to maintain the table. I'm not sure how to find out what I can move it to above the default based on the amount of memory the system has which is 1G. It's a DNS caching server so that's ALL it does but it does a lot of connections and has a really, really huge iptables rules set. When I do an lsmod I see this .. ip_conntrack 20672 2 [ipt_state iptable_nat] The 20672 is under size .. is this module taking 20M of ram or am I reading this wrong?

I believe that value is in bytes, not Kilobytes. So that is 20K, not 20M. On a 32 bit machine with 512MB of RAM ip_conntrack [by default] can manager 32,768 connections CONNTRACK_MAX = ({RAM (in bytes)} / 16384 / ({BITS [32 or 64]} / 32)) Look in - [root@firewall ~]# cat /proc/sys/net/ipv4/ip_conntrack_max 12288 [root@firewall ~]# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets 1536

Any one know what it would be safe to up the table size too?

That is handled automatically.

The default is 65520 and the server doesn't seem to be lacking available ram. Would it be a good idea to double this?

It is almost certainly defaulting to a count that is more than the server can realistically handle anyway. -- OpenGroupware developer: awilliam@whitemice.org <http://whitemiceconsulting.blogspot.com/> OpenGroupare & Cyrus IMAPd documenation @ <http://docs.opengroupware.org/Members/whitemice/wmogag/file_view> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org