CentOS Bug Tracker
CentOS Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004877CentOS-5iptablespublic2011-05-17 11:412013-08-25 17:23
Reportermoylo 
PrioritynormalSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version5.6 
Target VersionFixed in Version5.8 
Summary0004877: net.ipv4.netfilter.ip_conntrack values get reset to default after iptables service restart
Descriptionecho the following values to proc

echo 345600 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
echo 300000 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
----------------------------------------------------------------------
set the same values in sysctl.conf

[root@dj2 ~]# cat /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536

# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296

fs.file-max = 65535

#4 days
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 345600
net.ipv4.netfilter.ip_conntrack_max = 300000

----------------------------------------------------------------

do a service iptables restart

----------------------------------------------------------------
Values are set back to defaults by the restart.

[root@dj2 ~]# sysctl -a | grep conntrack
net.ipv4.ip_conntrack_max = 300000
net.ipv4.netfilter.ip_conntrack_tcp_max_retrans = 3
net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 0
net.ipv4.netfilter.ip_conntrack_tcp_loose = 1
net.ipv4.netfilter.ip_conntrack_tcp_timeout_max_retrans = 300
net.ipv4.netfilter.ip_conntrack_log_invalid = 0
net.ipv4.netfilter.ip_conntrack_generic_timeout = 600
net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180
net.ipv4.netfilter.ip_conntrack_udp_timeout = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120
net.ipv4.netfilter.ip_conntrack_checksum = 1
net.ipv4.netfilter.ip_conntrack_buckets = 8192
net.ipv4.netfilter.ip_conntrack_count = 53090
net.ipv4.netfilter.ip_conntrack_max = 65536

-----------------------------------------------------------------

65536 is a pretty low value and with this bug conntrack table fills very quickly.
Additional InformationLooks like a variant of this old Redhat 4 issue.

https://bugzilla.redhat.com/show_bug.cgi?id=199908 [^]

Except that I am on Centos 5.6

I don't think this was an issue before upgrade from Centos 5.5

TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0012742)
moylo (reporter)
2011-05-17 11:58

iptables-ipv6-1.3.5-5.3.el5_4.1
iptables-1.3.5-5.3.el5_4.1

Linux xxxxxx 2.6.18-238.9.1.el5.centos.plus 0000001 SMP Tue Apr 12 20:34:33 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
(0015950)
ahmahmahm (reporter)
2012-10-17 13:48

Here's the upstream bug report - https://bugzilla.redhat.com/show_bug.cgi?id=552522 [^] .

There's an iptables fix for it (iptables-1.3.5-9.1.el5), which requires a config change to be active.
(0017859)
tigalch (developer)
2013-08-25 17:23

reported as SOLVED upstream with errata http://rhn.redhat.com/errata/RHBA-2012-0255.html [^]

- Issue History
Date Modified Username Field Change
2011-05-17 11:41 moylo New Issue
2011-05-17 11:58 moylo Note Added: 0012742
2012-10-17 13:48 ahmahmahm Note Added: 0015950
2013-08-25 17:23 tigalch Note Added: 0017859
2013-08-25 17:23 tigalch Status new => resolved
2013-08-25 17:23 tigalch Fixed in Version => 5.8
2013-08-25 17:23 tigalch Resolution open => fixed


Copyright © 2000 - 2014 MantisBT Team
Powered by Mantis Bugtracker