iptables conntrack overflow
Richard Wilson
r.wilson9 at cox.net
Thu Jan 12 22:29:22 MST 2006
I was wondering if anyone had seen this error message appear on console
or in logs:
kernel: ip_conntrack: table full, dropping packet.
This indicates the ip_conntrack module of the iptables firewall code has
run out of slots and is throwing stuff in the bit bucket. As
ip_conntrack is what determines if a packet is related to an existing
session, this is NOT a good message to see. For my system a reboot was
required to restore sane operations.
It was accompanied by a LOT of these messages, which may relate:
kernel: TCP: drop open request from ip.ad.dr.ess/port
kernel: NET: 45 messages suppressed.
So far I've found that the upper limit is set by:
cat /proc/sys/net/ipv4/netfilter/ip_conntrack
(for kernel versions prior to 2.4.23 it's):
cat /proc/sys/net/ipv4/ip_conntrack
The limit on the system cranking out these messages is set at 65536,
which is a default for systems with 1GB or more of RAM. It can be
increased.
I also found a reference (at linuxquestions.org) to the following:
echo "21600"
> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
This command is supposed to change the timeout for a tracked connection
from the default of 5 days (!) to 6 hours. I am still trying to track
down relevant documentation to confirm that it works as desired.
Has anyone else messed with these? This server is a busy mail relay
that regularly gets hammered by spam -- I suspect that I should drop the
connection timeout value down. I am not sure if the "TCP:" and "NET:"
messages relate -- they occur without the ip_conntrack messages
appearing as well.
Thanks in advance,
--
Richard Wilson
r dot wilson (nine) at cox dot net
More information about the PLUG-discuss
mailing list