From: Johannes Erwerle <jo@swagspace.org>
To: netfilter@vger.kernel.org
Subject: iptables 1.4.16.3 on a Zyxel Router: NOTRACK / CT --notrack not available
Date: Sun, 16 Apr 2023 12:23:14 +0200 [thread overview]
Message-ID: <f4d3374f-41e7-771a-1655-ef4c2b16347c@swagspace.org> (raw)
Hello!
I have a Zyxel NR7101 5G router. This device has to handle a lot of
sessions and we had events in the past, where the conntrack table was
full, leading to dropping new sessions.
An other issue is, that the device can only handle ~250 new sessions per
second. (At 250 sessions/s one CPU core is completely utilized and it
starts sending pause frames).
Since we don't need any firewalling for the traffic that is only routed
through the device I wanted to disable connection tracking for some
connections to reduce the size of the conntrack table and hopefully
increase the amount of new sessions that the device can handle)
However neither the NOTRACK target nor the --notrack option for the CT
target are available.
Here are a couple of infos regarding the OS/Kernel/iptables version:
root@NR7101:~# uname -a
Linux NR7101 3.10.14 #1 SMP Tue Nov 29 09:49:05 CST 2022 mips
GNU/Linuxroot@NR7101:~# iptables -V
iptables v1.4.16.3
When I am trying to add rules to disable tracking I get the following
errors:
root@NR7101:/# iptables -t raw -A PREROUTING -d 1.2.3.4 -j CT --notrack
iptables v1.4.16.3: unknown option "--notrack"
Try `iptables -h' or 'iptables --help' for more information.
root@NR7101:/# iptables -t raw -A PREROUTING -d 1.2.3.4 -j NOTRACK
iptables v1.4.16.3: Couldn't find target `NOTRACK'
Try `iptables -h' or 'iptables --help' for more information.
Since this is a small embedded device man pages and other nice things
one would expect from a modern linux distribution are usually not available.
From what I found while digging through the change logs, at least one
of the notrack options was available in iptables 1.4.16.3. However the
device does not know them. Might this be a compile-time option and the
feature was simply left out by the manufacturer? Or do I have to load a
kernel module explicitly? Is there any way to get this working?
One workaround for the first issue would be to increase the conntrack
table and hashsize, there is some RAM available, but it is not limitless.
Greetings and thank you very much
Jo
next reply other threads:[~2023-04-16 10:23 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-16 10:23 Johannes Erwerle [this message]
2023-04-16 17:51 ` iptables 1.4.16.3 on a Zyxel Router: NOTRACK / CT --notrack not available Bastian Bittorf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f4d3374f-41e7-771a-1655-ef4c2b16347c@swagspace.org \
--to=jo@swagspace.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).