Your ads will be inserted here by
Easy Plugin for AdSense.
Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.
Aug 7 12:16:17 kernel: nf_conntrack: table full, dropping packet.
What is nf_conntrack?
The Linux Netfilter system (commonly known as the iptables firewall) includes a facility to track connections provided by the nf_conntrack kernel module. The state of a connection is tracked to allow an efficient traversal through the Netfilter firewall tables, as well as to provide the ability to filter based on detailed state of a connection.
What is ip_conntrack?
The Linux Netfilter system (commonly known as the iptables firewall) includes a facility to track connections provided by the ip_conntrack kernel module. The state of a connection is tracked to allow an efficient traversal through the Netfilter firewall tables, as well as to provide the ability to filter based on detailed state of a connection.
Reason?
Heavy traffic (could be D/DOS, or less expected traffic or probably left default without system tweak )
# Check Current Count Value
sysctl net.netfilter.nf_conntrack_count
# Max supported value
sysctl net.netfilter.nf_conntrack_max
# Netstat count
netstat -tn | awk '{n[$6]++} END { for(k in n) { print k, n[k]; }}'
# conntrack timeout value
sysctl -a | grep conntrack | grep timeout
# Increase conn track limit
/sbin/sysctl -w net.netfilter.nf_conntrack_max = 196608
Permament change@
echo net.ipv4.netfilter.ip_conntrack_max = 196608 >> /etc/sysctl.conf
# Heavy traffic tuning
echo "120" > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait
Howto what is max nf_conntrack assigned?
# /sbin/sysctl -a | grep -i nf_conntrack_max
net.netfilter.nf_conntrack_max = 65536
net.nf_conntrack_max = 65536
Howto: what is current nf_conntrack_count?
linux:~# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 12742
Modules Related
Your ads will be inserted here by
Easy Plugin for AdSense.
Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.
/sbin/lsmod | grep -i ‘ip_tables|conntrack’
nf_conntrack_ipv4 10346 3 iptable_nat,nf_nat
nf_conntrack 60975 4 ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_defrag_ipv4 1073 1 nf_conntrack_ipv4
ip_tables 9899 2 iptable_nat,iptable_filter
x_tables 14175 3 ipt_MASQUERADE,iptable_nat,ip_tables
Remove nf_conntrack if no NAT is required.
/sbin/rmmod iptable_nat
/sbin/rmmod ipt_MASQUERADE
/sbin/rmmod rmmod nf_nat
/sbin/rmmod rmmod nf_conntrack_ipv4
/sbin/rmmod nf_conntrack
/sbin/rmmod nf_defrag_ipv4
It could be simply activated by using command:
iptables -t nat -L -n
Howto Increase value of nf_conntrack?
# sysctl -w net.netfilter.nf_conntrack_max=131072
This must not be altertered unless you are 100% sure what you are doing. And that is not done yet, there is direct relation with hash-table.
# Before Increasing anything i would suggest to decrease these value,
echo "86400" > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
echo "90" > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_time_wait
This has to be followed by increasing the size of nf_conntrack hash-table
echo “nf_conntrac_max/4” >> /sys/module/nf_conntrack/parameters/hashsize
So in this case,
# echo “32768” > /sys/module/nf_conntrack/parameters/hashsize
NOTE: This is critical, and this should not be altered if you donot know what you are doing, and if you donot know iptables/conntrack/nat.
Real time logfile:
netfilter]# ls -al /proc/sys/net/netfilter/nf_log/
total 0
dr-xr-xr-x 0 root root 0 Jul 8 10:16 .
dr-xr-xr-x 0 root root 0 Jul 8 10:16 ..
-rw-r–r– 1 root root 0 Jul 8 10:16 0
-rw-r–r– 1 root root 0 Jul 8 10:16 1
-rw-r–r– 1 root root 0 Jul 8 10:16 10
-rw-r–r– 1 root root 0 Jul 8 10:16 11
-rw-r–r– 1 root root 0 Jul 8 10:16 12
-rw-r–r– 1 root root 0 Jul 8 10:16 2
-rw-r–r– 1 root root 0 Jul 8 10:16 3
-rw-r–r– 1 root root 0 Jul 8 10:16 4
-rw-r–r– 1 root root 0 Jul 8 10:16 5
-rw-r–r– 1 root root 0 Jul 8 10:16 6
-rw-r–r– 1 root root 0 Jul 8 10:16 7
-rw-r–r– 1 root root 0 Jul 8 10:16 8
-rw-r–r– 1 root root 0 Jul 8 10:16 9
Other Internet Material, that i found useful during my research are:
Resolving “nf_conntrack: table full, dropping packet.” flood message in dmesg Linux kernel log
http://backstage.soundcloud.com/2012/08/shoot-yourself-in-the-foot-with-iptables-and-kmod-auto-loading/