[OpenAFS] OpenAFS, NAT, IPtables
Ron Croonenberg
ronc@depauw.edu
Sat, 29 Sep 2007 10:18:50 -0400
Hi Jeffrey, thanks.
It's a linux cluster, so all the nat-ed clients are Linux machines.
(The head of the cluster is the one that does the nat-ing)
So I guess I am fine with those values.
thanks,
Ron
Jeffrey Altman wrote:
> Ron Croonenberg wrote:
>> I found, after digging around for a good while, that changing these keys:
>>
>> net.ipv4.netfilter.ip_conntrack_udp_timeout=480
>> net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=900
>>
>> seems to work on FC6 (2.6.22.4-45.fc6).
>>
>> But: Do I both need them ? and what is the best "minimal" value for
>> those keys ?
>>
>> tia,
>>
>> Ron
>
> you need both of them. they specify different things.
>
> The first is how long the firewall will permit inbound packets to be
> delivered after the last outbound packet between a given set of endpoints.
>
> The second is how long an idle port mapping will be maintained before it
> can be reused by a new client. Those values are fine. However, OpenAFS
> windows clients older than 1.5.17 probed up servers once every ten
> minutes and therefore a net.ipv4.netfilter.ip_conntrack_udp_timeout
> value of 780 will make your file servers much happier.
>
> You cannot set these values by port as you cannot guarantee what port
> numbers will be used by the client. The client will default to 7001 but
> for example, a client run in a VM behind a NAT will appear on a
> different port.
>
> Jeffrey Altman
--
=================================================================
Ron Croonenberg |
| Phone: 1 765 658 4761
Lab Instructor & | Fax: 1 765 658 4732
Technology Coordinator |
|
Department of Computer Science | e-mail: ronc@DePauw.edu
DePauw University |
275 Julian Science & Math Center |
602 South College Ave. |
Greencastle, IN 46135 |
=================================================================