Can you add two function in zeroshell

Home Page Forums Network Management ZeroShell Can you add two function in zeroshell

This topic contains 3 replies, has 0 voices, and was last updated by  yuda 12 years, 1 month ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #40707

    yuda
    Member

    Can you add two function in zeroshell
    1. Use web interface to modify “/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established”
    2. Use web interface to modify “/proc/sys/net/ipv4/ip_conntrack_max”

    Thank you very much

    #45654

    imported_fulvio
    Participant

    Why do you need these two functions?

    Fulvio

    #45655

    yuda
    Member

    When enabled through the use of NAT or other stateful inspection rules, netfilter (iptables) under Linux maintains a list of connections passing through the router. Each connection tracking entry contains defined characteristics of the packet, including the source and destination IP address and port number.

    The connection tracking entries are ultimately stored in a hash table with a fixed size. By default on an Imagestream router, the hash table can store 8064 entries. For routers with stateful inspection enabled, the number of connections to track may exceed the total number of connections available in the table. If the router reaches the maximum number of connection tracking entries, it will log an error:
    “ip_conntrack: table full, dropping packet”

    each time that it is unable to store an entry in the connection tracking table. Each instance of this message represents a connection that the router has discarded, typically meaning that the user whose connection was dropped must re-establish their connection.

    The maximum size of the connection tracking table can be increased. The maximum size value is stored in the router’s proc filesystem in the file /proc/sys/net/ipv4/ip_conntrack_max. Increasing the maximum size of the connection tracking table to a value larger than the total number fo connections will eliminate the error message and prevent the router from dropping connections due to a lack of space in the connection tracking table.

    #45656

    imported_fulvio
    Participant

    What about /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established ?

    #45657

    yuda
    Member

    /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established

    Time of the netfilter drop this tcp session ,If netfilter no receive ACK packages
    Default is 432000 sec , 5 days
    It is too long time
    If user uses ssh , he not close ssh before poweeoff PC
    After 5 days netfilter can drop this sessions
    If everyone not close tcp session
    The system will log an error:
    “ip_conntrack: table full, dropping packet”
    Thank,s

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.