>>What is the disadvantage having that as default? Well, the default value is quite low (if I remember 64000). And in the past, I have had packets drop (when netfilter conntrack was enabled on bridges in kernel)
because this really track all connections, also not yet established (like a syn flood, and you can easily filled the table). I don't known if we can setup a really high value by default ? Also, it's seem that another option must be tune, /etc/modprobe.conf: options ip_conntrack hashsize=32768 I need to read a little more about it ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre DERUMIER" <[email protected]> Cc: [email protected] Envoyé: Dimanche 2 Mars 2014 09:14:50 Objet: RE: pvefw: using ctmark to associacte connections to VMs > >>What is the advantage of using dynamic value? You want to save RAM? > I'm thinking of users who's have small server, will small ram and other users > who's have big server and big ram. > > But sure, we can tune net.netfilter.nf_conntrack_max, but users must be > warned to do it. What is the disadvantage having that as default? _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
