> What are the session timeout controls with ip_conntrack? I'm load balancing > two netfilter (2.4.18 kernel, 1.2.5 ipt) boxes infront of a web server farm > and I'm seeing an avg of 362 connections (GET's) per second, slabinfo > reports 26k on one and 34k on the other. What is ip_conntrack's definition > and criteria for a "connection"? How do they expire? How can I expire > them? etc.
Don't worry. If the above rates are stable, they correspond to a memory usage of a measly 13MB RAM. If you compare with /proc/net/tcp on the real servers, you should see similar amounts of sockets. It's normal to keep around information per TCP connection, for some time. You can't expire the connections by hand, and you don't want to. If you are curious about the timeout mechanisms used, look at the source: in net/ipv4/ip_conntrack_proto_tcp.c, you can find the full state engine which classifies TCP connections as packets fly by, and selects suitable timeouts for the various states. It's a good topic to learn about, if you are so inclined, but it's no worry for you as a system administrator. best regards Patrick
