|
Hi,
After I asked you how to work around with ip_conntrack table full, I
tried with suggestion to use NOTRACK in squid box for port 3128. Number
of ip_conntrack connections still increase till maximum limit.
I comprehend that it caused of rebooting squid box. Linux ip_conntrack
keep all packets that has not seen in 3 ways hand shake that arounds 5
days. So it filled up a day later. Graeme, sorry to told you I reboot
the system.
I found a trick in google search.
Setting a system config in /etc/sysctl.conf with
net.ipv4.netfilter.ip_conntrack_tcp_loose = 0
will drop all packets like I mention above.
I have some mrtg screenshots.
Before using the trick
http://host.psu.ac.th/~wiboon.w/proxy7-conn-past-to-070613.JPG
After using the trick
http://host.psu.ac.th/~wiboon.w/proxy7-cpu-conn-070613.JPG
Graeme, can you confirm me that this trick is harmless for doing LVS
with squid. Any suggestions?
Regards,
WIboon
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
|
