hi!

Jan  5 04:38:05 (none) kern.warn kernel: NET: 23 messages suppressed.
Jan  5 04:38:05 (none) kern.warn kernel: ip_conntrack: table full, dropping packet.

my question is how to disable the connection tracking. we don't need this, because we don't use nat.
70 users have a bad network-performance and these log-messages show me why ...

thanks very much!

ciao,
der flo

You can try setting a higher value in /proc/sys/net/ipv4/ip_conntrack_max.

I have done this in the /etc/sysctl.conf by adding the line:

net/ipv4/ip_conntrack_max=65535

ok, this would be a workaround...
but does the wrt54gs have enough ram for such a high value?

ciao,
der flo

high values (big table) make performance problems, so better is shorting timeouts (default is 5 days)
on our linksys I have:
echo "300 600 120 60 120 120 10 60 30 120" > /proc/sys/net/ipv4/ip_conntrack_tcp_timeouts

/proc/sys/net/ipv4/ip_conntrack_tcp_timeouts
this entry doesn't exist on my routers. is an additional module needed?

thanks for the solutions!!

but is there no chance to disable it?

ciao,
der flo

Maybe I have older kernel (2.4.20) in newer kernel every value have own file in directory /proc/sys/net/ipv4/netfilter

Home in my notes I found:

EXPLANATION:
300 600 120 60 120 120 10 60 30 120
NONE = 300 (5 minutes)
ESTABLISHED = 600 (10 minutes)
SYN_SENT = 120 (2 minutes)
SYN_RECV = 60 (60 seconds)
FIN_WAIT = 120 (2 minutes)
TIME_WAIT = 120 (2 minutes)
CLOSE = 10 (10 seconds)
CLOSE_WAIT = 60 (60 seconds)
LAST_ACK = 30 (30 seconds)
LISTEN = 120 (2 minutes)

so NONE is ip_conntrack_tcp_timeout_established

echo 300 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established

This means than NEW connections have 5 minutes timeout, so existing connections stay with previous settings.

wc -l /proc/net/ip_conntrack

give you number of records in conntrack table

ok, your right!
that should be possible.
thanks!