|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-users] Re: ip conntrack table full
"Fajar A. Nugraha" <fajar@xxxxxxxxx> writes: > On Mon, Jan 25, 2010 at 7:00 AM, Mike McGrath <mmcgrath@xxxxxxxxxx> wrote: > >> Ok, that is a good indicator. ÂI can see things contacting port 443, which >> is what should be on the domU. ÂI'm also seeing lots of established >> connections that aren't showing up in netstat. ÂSo it's like the dom0 is >> tracking the domU's iptables, but is not releasing them? > > Have you look at each domU's conntrack count (assuming they also have > iptables enabled)? Most likely if you add up all of them it'd match > dom0's count. > > If the load is what you expect (i.e. no portscan/attacks), and you > don't use dom0 as firewall (just a router), then perhaps you should > simply just disable iptables on dom0. Another alternative is to > increase max conntrack, or reduce conntrack timeouts on dom0. Or zero out /proc/sys/net/bridge/bridge-nf-call-iptables on dom0. -- Feri. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |