[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] dom0 can see connections from domU-s
On Tue, Aug 25, 2009 at 10:01 AM, Thiago Camargo Martins Cordeiro<thiagocmartinsc@xxxxxxxxx> wrote: > I have this problem at my Linux border gateway, it can not even have the > NAT module loaded, even if with no NAT rules, the Kernel drops a lot of > packages on a busy network, saying that the NAT conntrack table is full... I > hate it! :-P Is it a dom0? Or is it simply a Linux router, in which case this is not directly Xen-related? > > The BSDs systems suffer from this evil behavior too? > > I never sent a mail to Linus before but, this can be a good time to do so. > > I say this because I believe that Linux should not drop network packets > only by loading some module. > > ...or simply we do not know how to adjust it! What's the value of /proc/sys/net/ipv4/ip_conntrack_max ? It's 65536 by default on RHEL, and should be adjustable using something like echo 655360 > /proc/sys/net/ipv4/ip_conntrack_max If you're feeling brave, you can adjust some timeouts (/proc/sys/net/ipv4/netfilter/ip_conntrack*timeout*) to have dead connections dropped sooner, thus reducing overall connection count. -- Fajar _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |