An ip_conntrack_max Threshold Script

Ever had ip_conntrack_max overrun and started losing not just valid packets but possibly valid data? The solution, script it. Try using your favorite scripting languages to tackle a relatively simple problem. In the example provided, a first draft (which works) is cranked out to stem future overruns . . . then a second draft to fix those Oi I was in a hurry problems.

Iptables is great, easy to setup and generally worry free once it is all configured. Except of course if one forgets to keep an eye on the state machine. ip_conntrack does just what is says; tracks current connections (with a timelag of course). There is a variable in /proc/sys/net/ipv4 labelled ip_conntrack_max which also means what it says... when ip_conntrack_max is hit (or even close to being hit): bad things can happen. Solution: write a script to keep an eye on ip_conntrack. Of course there is always the first draft and refinements to follow.

Full Story