Argh, my beloved linux IPv6 firewall was suffering, too many connections, munin graphs not updating; this needed looking at… Firstly I noticed multiple entries of the following in kern.log: nf_conntrack: table full, dropping packet After checking the existing table size: # /sbin/sysctl net.netfilter.nf_conntrack_count net.netfilter.nf_conntrack_count = 76768 …it seemed sensible to double it: # cat /proc/sys/net/nf_conntrack_max

Munin IPv6 neighbor state graphs

A recent issue with a Linux IPv6 firewall which saw on-link hosts appear to be flapping according to monitoring tools, highlighting a IPv6 ND table overflow problem. The short version of the solution required: net.ipv6.neigh.default.gc_thresh1 = 256 net.ipv6.neigh.default.gc_thresh2 = 1024 net.ipv6.neigh.default.gc_thresh3 = 2048 To keep an eye on the neighbor table I created a series