I have been lurking on this group now for a while, and there does seem
to sound advice floating around. So with that, I tread into your waters
and ask for your assitance.

The setup is simple. nginx sitting on a Linux CentOS (2.6 kernel)
acting as a load balancer for a set of backend machines.

The machine is under quite a lot of network stress in terms of sockets
being setup and teared down again. We have iptables running to stop all
the nasty people in the world! :)

However, views seem to be divided on the ip_conntrack issue.

Some say to just increase the value if you are running out of handles.

echo 65536 > /proc/sys/net/ipv4/ip_conntrack_max

Some say to tune the values below their defaults so sockets get cleared
out quicker:

ip_conntrack_tcp_timeout_time_wait
ip_conntrack_tcp_timeout_fin_wait

Now some people say to remove ip_conntrack completely, its not required
for web traffic, especially for web balancers as you need double the
amount of sockets (one for the incoming and another for the backend).

iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK


So my questions are:

1. Anyone have any experience with this world?
2. What is ip_conntrack really buying me for web traffic?
3. Is the NOTRACK the only way to turn off ip_conntrack?


All advice gratefully received and digested! :)

thanks

--
Alan Williamson
Registrationless email/sms reminders: http://yourli.st/
blog: http://alan.blog-city.com/

Hello,

Alan Williamson a écrit :
>
> Some say to just increase the value if you are running out of handles.
>
> echo 65536 > /proc/sys/net/ipv4/ip_conntrack_max
>
> Some say to tune the values below their defaults so sockets get cleared
> out quicker:
>
> ip_conntrack_tcp_timeout_time_wait
> ip_conntrack_tcp_timeout_fin_wait
>
> Now some people say to remove ip_conntrack completely, its not required
> for web traffic, especially for web balancers as you need double the
> amount of sockets (one for the incoming and another for the backend).
>
> iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK

They're all wrong. Conntrack has nothing to do with sockets. If your box
runs out of sockets, you're looking into the wrong direction.

> 2. What is ip_conntrack really buying me for web traffic?

Conntrack tracks "connections" based on the packet flows it sees. It is
necessary for address/port translation (-j DNAT, SNAT, MASQUERADE,
REDIRECT...) and stateful filtering (-m state, conntrack). If you use
neither of these, you probably don't need conntrack.

> 3. Is the NOTRACK the only way to turn off ip_conntrack?

If ip_conntrack (or nf_conntrack in "recent" kernels) is built as a
module, you can just not load it. NOTRACK is just more selective in
allowing not to track some flows.