iptables conntrack overflow
Technomage
technomage-hawke at cox.net
Fri Jan 13 09:08:17 MST 2006
On Thursday 12 January 2006 22:29, Richard Wilson wrote:
> I was wondering if anyone had seen this error message appear on console
> or in logs:
>
> kernel: ip_conntrack: table full, dropping packet.
>
> This indicates the ip_conntrack module of the iptables firewall code has
> run out of slots and is throwing stuff in the bit bucket. As
> ip_conntrack is what determines if a packet is related to an existing
> session, this is NOT a good message to see. For my system a reboot was
> required to restore sane operations.
>
> It was accompanied by a LOT of these messages, which may relate:
>
> kernel: TCP: drop open request from ip.ad.dr.ess/port
> kernel: NET: 45 messages suppressed.
this is *NOT* good news any way you look at it.... The default values tend to
work well for low traffic volume. high traffic volume is going to require
tighter settings (read below for one such).
>
> So far I've found that the upper limit is set by:
>
> cat /proc/sys/net/ipv4/netfilter/ip_conntrack
>
> (for kernel versions prior to 2.4.23 it's):
>
> cat /proc/sys/net/ipv4/ip_conntrack
>
> The limit on the system cranking out these messages is set at 65536,
> which is a default for systems with 1GB or more of RAM. It can be
> increased.
>
> I also found a reference (at linuxquestions.org) to the following:
>
> echo "21600"
>
> > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
>
I've been reading on this as well. you would have far better results by
setting to 3600 for that value. it seems a bit short (only 1 hour) but it'll
certainly recycle those slots a lot faster during excessive spam load.
> This command is supposed to change the timeout for a tracked connection
> from the default of 5 days (!) to 6 hours. I am still trying to track
> down relevant documentation to confirm that it works as desired.
>
> Has anyone else messed with these? This server is a busy mail relay
> that regularly gets hammered by spam -- I suspect that I should drop the
> connection timeout value down. I am not sure if the "TCP:" and "NET:"
> messages relate -- they occur without the ip_conntrack messages
> appearing as well.
>
> Thanks in advance,
More information about the PLUG-discuss
mailing list