Feb 27, 2011

Following up network connections with conntrack (II)

Let's finish the previous article about Following up network connections with conntrack (I). Other important parameters which can be changed to optimize the system are related to the time of the different types of connections.

root@ubuntu-server:~# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
432000

root@ubuntu-server:~# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait
120

root@ubuntu-server:~# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait
60

The first parameter sets up the maximum lifetime for an already established connection (432000 sg can be long; 28800 could be enough). The second and third are the maximum lifetime for a waiting connection and for the remote endpoint closes the socket.

So as to list all variables based on the conntrack module, type the next order.

root@ubuntu-server:~# sysctl -a | grep conntrack | grep ipv4
net.ipv4.netfilter.ip_conntrack_generic_timeout = 600
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent2 = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10
net.ipv4.netfilter.ip_conntrack_tcp_timeout_max_retrans = 300
net.ipv4.netfilter.ip_conntrack_tcp_loose = 1
net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 0
net.ipv4.netfilter.ip_conntrack_tcp_max_retrans = 3
net.ipv4.netfilter.ip_conntrack_udp_timeout = 30
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180
net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30
net.ipv4.netfilter.ip_conntrack_max = 15768
net.ipv4.netfilter.ip_conntrack_count = 2
net.ipv4.netfilter.ip_conntrack_buckets = 4096
net.ipv4.netfilter.ip_conntrack_checksum = 1
net.ipv4.netfilter.ip_conntrack_log_invalid = 0

And if you want to change the value of any variable, you must add it within the sysctl.conf file and reload the settings.

root@ubuntu-server:~# cat /etc/sysctl.conf
...
net.ipv4.netfilter.ip_conntrack_max = 131072

root@ubuntu-server:~# sysctl -p

One interesting option for the conntrack command is the possibility to get the statistics about the connection tracking.

root@ubuntu-server:~# conntrack -S
entries                 2  
searched                0  
found                   1107
new                     4  
invalid                 0  
ignore                  0  
delete                  2  
delete_list             2  
insert                  4  
insert_failed           0  
drop                    0  
early_drop              0  
icmp_error              0  
expect_new              0  
expect_create           0  
expect_delete           0  
search_restart          0

Another useful feature for conntrack is to output the connection state on real-time, similar to when you run a "tail -f" on a file.

root@ubuntu-server:~# conntrack -E

We can conclude with this couple of articles that the conntrack module is other helpful way to improve the Linux performance.


Posted by Javier Andrés Alonso at 1:26 PM
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)