I was wondering if anyone had seen this error message appear on console
or in logs:

kernel: ip_conntrack: table full, dropping packet.

This indicates the ip_conntrack module of the iptables firewall code has
run out of slots and is throwing stuff in the bit bucket.  As
ip_conntrack is what determines if a packet is related to an existing
session, this is NOT a good message to see.  For my system a reboot was
required to restore sane operations.

It was accompanied by a LOT of these messages, which may relate:

kernel: TCP: drop open request from ip.ad.dr.ess/port
kernel: NET: 45 messages suppressed.

So far I've found that the upper limit is set by:

cat /proc/sys/net/ipv4/netfilter/ip_conntrack

(for kernel versions prior to 2.4.23 it's):

cat /proc/sys/net/ipv4/ip_conntrack

The limit on the system cranking out these messages is set at 65536,
which is a default for systems with 1GB or more of RAM.  It can be
increased.

I also found a reference (at linuxquestions.org) to the following:

echo "21600"
> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established

This command is supposed to change the timeout for a tracked connection
from the default of 5 days (!) to 6 hours.  I am still trying to track
down relevant documentation to confirm that it works as desired.

Has anyone else messed with these?  This server is a busy mail relay
that regularly gets hammered by spam -- I suspect that I should drop the
connection timeout value down.  I am not sure if the "TCP:" and "NET:"
messages relate -- they occur without the ip_conntrack messages
appearing as well.

Thanks in advance,

-- 
Richard Wilson
r dot wilson (nine) at cox dot net

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss