I understand what nf_conntrack_max is, but what does nf_conntrack_expect_max actually do? I haven't been able to find an explanation on this anywhere.
Asked
Active
Viewed 7,789 times
2
KelchM
- 155
- 1
- 2
- 6
-
http://lists.netfilter.org/pipermail/netfilter-devel/2007-July/028568.html – poige Feb 26 '13 at 20:15
1 Answers
3
Reference: conntrack man page
The connection tracking system maintains two different tables, one for tracking connections that are active the other for tracking connections that are /expected/ to be active. An example of an expected connection would be an FTP connection, which uses both a control connection and a data connection. When the control connection is opened, the data connection is expected to be opened.
In a single table solution, a denial-of-service could be triggered by filling the table with expectations, starving out legitimate, active connections. The separate table helps to prevent that.
In the two system setup, nf_conntrack_expect_max is the max number of entries for the expectations table, and its function is identical to that of nf_conntrack_max for the conntrack table.
hrunting
- 953
- 4
- 7
-
1How can I go about determining an ideal value for nf_conntrack_expect_max? – KelchM Feb 27 '13 at 18:33
-
Are you doing a lot of traffic that creates entries in the expectations table? If not, you don't even need to worry about it. If so, see how many entries typically get created, and then allow for a reasonable buffer above that. – hrunting Feb 28 '13 at 03:58