On Thursday 13 January 2005 18:20, Deron Meranda wrote: > Hmm. I now think that your dst cache overflows are related to routing > tables and not connection tracking. Okay. Is there anything that I could flush reguraly or I should watch out in order to prevent overflow? Do you know any good site where could be more information about the dst cache and howto control it? > > In particular, what's, > # cat /proc/sys/net/ipv4/route/max_size > # grep dst_cache /proc/slabinfo > # cat /proc/sys/net/ipv4/route/max_size 16384 # grep dst_cache /proc/slabinfo ip6_dst_cache 13 15 256 15 1 : tunables 120 60 0 : slabdata 1 1 0 xfrm_dst_cache 0 0 256 15 1 : tunables 120 60 0 : slabdata 0 0 0 ip_dst_cache 2160 2910 256 15 1 : tunables 120 60 0 : slabdata 194 194 0 > Also, are you using IPv6 as well as IPv4? IPv6 modules are loaded but I'm only using IPv4. > What's your routing situation, do you have lots of dynamic routes, or other > complex setups? What about dynamic interfaces (e.g., PPP) that are > always being brought up and down? Dynamic routing is not used but there are 25 static routes. I have one additional table for simple policy routing which I set up as follows: #ip rule add from 172.27.151.138 to 10.100.130.182 table kimmo #ip route add default via 10.31.175.29 dev eth5 table kimmo #ip route flush cache PPP or other types of dynamic interfaces are not used. Firewall has six interfaces, four of them are used. > > Also try, > > # ip route list table all > Here is the output, I have replaced my IP-addresses with fake ones: <output> # ip route list table all default via 10.31.175.29 dev eth0 table kimmo 10.31.175.28/30 dev eth0 proto kernel scope link src 10.31.175.30 172.27.151.152/29 via 10.9.10.10 dev eth3 172.27.151.128/29 dev eth1 proto kernel scope link src 172.27.151.129 172.27.151.136/29 dev eth2 proto kernel scope link src 172.27.151.137 172.27.151.192/28 via 10.9.10.10 dev eth3 172.27.151.176/28 via 10.9.10.10 dev eth3 172.27.151.160/28 via 10.9.10.10 dev eth3 172.27.151.0/25 via 10.9.10.10 dev eth3 172.27.152.0/25 via 10.9.10.10 dev eth3 192.168.100.0/24 via 172.27.151.138 dev eth2 192.168.7.0/24 via 10.9.10.10 dev eth3 192.168.101.0/24 via 172.27.151.139 dev eth2 192.168.3.0/24 via 10.9.10.10 dev eth3 192.0.8.0/24 via 10.9.10.10 dev eth3 10.9.10.0/24 dev eth3 proto kernel scope link src 10.9.10.9 192.0.9.0/24 via 10.9.10.10 dev eth3 192.168.17.0/24 via 10.9.10.10 dev eth3 192.168.15.0/24 via 10.9.10.10 dev eth3 192.168.13.0/24 via 10.9.10.10 dev eth3 192.0.6.0/24 via 10.9.10.10 dev eth3 172.22.12.0/24 via 10.9.10.10 dev eth3 172.22.11.0/24 via 10.9.10.10 dev eth3 192.168.10.0/24 via 10.9.10.10 dev eth3 192.0.1.0/24 via 10.9.10.10 dev eth3 10.10.10.0/23 via 10.9.10.10 dev eth3 169.254.0.0/16 dev eth3 scope link default via 10.31.175.29 dev eth0 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 broadcast 172.27.151.128 dev eth1 table local proto kernel scope link src 172.27.151.129 local 172.27.151.129 dev eth1 table local proto kernel scope host src 172.27.151.129 broadcast 10.9.10.0 dev eth3 table local proto kernel scope link src 10.9.10.9 broadcast 172.27.151.135 dev eth1 table local proto kernel scope link src 172.27.151.129 broadcast 10.31.175.28 dev eth0 table local proto kernel scope link src 10.31.175.30 broadcast 10.31.175.31 dev eth0 table local proto kernel scope link src 10.31.175.30 local 10.31.175.30 dev eth0 table local proto kernel scope host src 10.31.175.30 broadcast 172.27.151.136 dev eth2 table local proto kernel scope link src 172.27.151.137 local 172.27.151.137 dev eth2 table local proto kernel scope host src 172.27.151.137 local 10.9.10.9 dev eth3 table local proto kernel scope host src 10.9.10.9 broadcast 10.9.10.255 dev eth3 table local proto kernel scope link src 10.9.10.9 broadcast 172.27.151.143 dev eth2 table local proto kernel scope link src 172.27.151.137 broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 local ::1 via :: dev lo proto none metric 0 mtu 16436 advmss 16376 metric10 64 local fe80::204:23ff:feab:140c via :: dev lo proto none metric 0 mtu 16436 advmss 16376 metric10 64 local fe80::204:23ff:feab:140d via :: dev lo proto none metric 0 mtu 16436 advmss 16376 metric10 64 local fe80::204:23ff:feab:140e via :: dev lo proto none metric 0 mtu 16436 advmss 16376 metric10 64 local fe80::211:43ff:fecd:249c via :: dev lo proto none metric 0 mtu 16436 advmss 16376 metric10 64 fe80::/64 dev eth0 metric 256 mtu 1500 advmss 1440 metric10 64 fe80::/64 dev eth1 metric 256 mtu 1500 advmss 1440 metric10 64 fe80::/64 dev eth2 metric 256 mtu 1500 advmss 1440 metric10 64 fe80::/64 dev eth3 metric 256 mtu 1500 advmss 1440 metric10 64 ff00::/8 dev eth0 metric 256 mtu 1500 advmss 1440 metric10 1 ff00::/8 dev eth1 metric 256 mtu 1500 advmss 1440 metric10 1 ff00::/8 dev eth2 metric 256 mtu 1500 advmss 1440 metric10 1 ff00::/8 dev eth3 metric 256 mtu 1500 advmss 1440 metric10 1 unreachable default dev lo proto none metric -1 error -101 metric10 255 </output> > And, have you since updated your kernel to 2.6.9-1.724_FC3, and are you > still experiencing the overflow? I have update to the kernel-2.6.10-1.737_FC3 but not yet rebooted with it. I have script that tracks down dst cache overflow errors and reboots if errors are found, after next reboot I have 2.6.10. Last error was two days ago, so it might take week or two to reboot :) Regards Kimmo Koivisto