![]() While accessing a bucket is a constant time operation (hence the interest of having a hash of lists), keep in mind that the kernel has to iterate over a linked list to find a conntrack entry. So CONNTRACK_MAX and HASHSIZE values can be changed manually if needed. Since Linux kernel version 2.4.24 (thus Linux 2.6 as well), current HASHSIZEĬat /proc/sys/net/ipv4/netfilter/ip_conntrack_bucketsĭefault CONNTRACK_MAX and HASHSIZE values are reasonable for a typical host, but you may increase them on high-loaded firewalling-only systems. Since Linux kernel version 2.4.23 (thus Linux 2.6 as well), use:Ĭat /proc/sys/net/ipv4/netfilter/ip_conntrack_max (old /proc/sys/net/ipv4/ip_conntrack_max is then deprecated!)Ĭurrent HASHSIZE is always available (for every kernel version) in syslog messages, as the number of buckets (which is HASHSIZE) is printed there at ip_conntrack initialization. for systems with more than 1GB of RAM, default HASHSIZE value is limited to 8192 (but can of course be set to more manually).Ĭurrent CONNTRACK_MAX value can be read at runtime, via the /proc filesystem.default HASHSIZE value will not be inferior to 16.HASHSIZE = CONNTRACK_MAX / 8 = RAMSIZE (in bytes) / 131072 / (x / 32) On i386 architecture, HASHSIZE = CONNTRACK_MAX / 8 = RAMSIZE (in bytes) / 131072 = RAMSIZE (in MegaBytes) * 8. This means that there is an average of 8 conntrack entries per linked list (in the optimal case, and whenĬONNTRACK_MAX is reached), each linked list being a hash table entry (a bucket). for systems with more than 1GB of RAM, default CONNTRACK_MAX value is limited to 65536 (but can of course be set to more manually).īy default, CONNTRACK_MAX = HASHSIZE * 8.default CONNTRACK_MAX value will not be inferior to 128.Where x is the number of bits in a pointer (for example, 32 or 64 bits) So for example, a 32 bits PC with 512MB of RAM can handle 512*1024^2/16384 = 512*64 = 32768 simultaneous netfilter connections by default.ĬONNTRACK_MAX = RAMSIZE (in bytes) / 16384 / (x / 32) On i386 architecture, CONNTRACK_MAX = RAMSIZE (in bytes) / 16384 = RAMSIZE (in MegaBytes) * 64. This document will now give you hints about how to choose optimal values for HASHSIZE and CONNTRACK_MAX, in order to get the best out of the netfilter conntracking/NAT system.ĭefault values of CONNTRACK_MAX and HASHSIZEīy default, both CONNTRACK_MAX and HASHSIZE get average values for "reasonable" use, computed automatically according to the amount of available RAM. how much kernel memory they will be able to occupy at most. But the maximum number of conntrackĮntries determines how many conntrack entries can be stored (globally into the linked lists), i.e. The hash table occupies a fixed amount of non-swappable kernel memory, whether you have any connections or not. When the limit is reached (the total number of conntrack entries being stored has reached CONNTRACK_MAX),Įach list will contain ideally (in the optimal case) about CONNTRACK_MAX/HASHSIZE entries. The hash table contains HASHSIZE linked lists. This is a more costly operation, depending on the size of the list (and on the position of the wanted conntrack entry in the list).iterate over the linked list of conntrack entries to find the good one.This hash value will then be used as an index in the hash table, where a list of conntrack entries is stored.compute a hash value according to some defined characteristics of the packet.To access a conntrack entry corresponding to a packet, the kernel has to: (also called a bucket) contains a linked list of conntrack entries. the size of the hash table storing the lists of conntrack entries, which will be called HASHSIZE (see below for a description of the structure)ĬONNTRACK_MAX is the maximum number of "sessions" (connection tracking entries) that can be handled simultaneously by netfilter in kernel memory.Ī conntrack entry is stored in a node of a linked list, and there are several lists, each list being an element in a hash table. the maximum number of allowed conntrack entries, which will be called CONNTRACK_MAX in this document There are two parameters we can play with: Latest version of this document can be found at: This document explains some of the things you need to know for netfilterĬonntrack (and thus NAT) performance tuning. Netfilter conntrack performance tweaking, v0.8 1.5 Ideal case: firewalling-only machine.1.4 Modifying CONNTRACK_MAX and HASHSIZE.1.2 Default values of CONNTRACK_MAX and HASHSIZE.1 Netfilter conntrack performance tweaking, v0.8.
0 Comments
Leave a Reply. |