An ip_conntrack_max Threshold Script
Ever had ip_conntrack_max overrun and started losing not just valid packets but possibly valid data? The solution, script it. Try using your favorite scripting languages to tackle a relatively simple problem. In the example provided, a first draft (which works) is cranked out to stem future overruns . . . then a second draft to fix those Oi I was in a hurry problems.
|
|
Iptables is great, easy to setup and generally worry free once it is all configured. Except of course if one forgets to keep an eye on the state machine. ip_conntrack does just what is says; tracks current connections (with a timelag of course). There is a variable in /proc/sys/net/ipv4 labelled ip_conntrack_max which also means what it says... when ip_conntrack_max is hit (or even close to being hit): bad things can happen. Solution: write a script to keep an eye on ip_conntrack. Of course there is always the first draft and refinements to follow. Full Story |
This topic does not have any threads posted yet!
You cannot post until you login.