iptables conntrack overflow

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Richard Wilson
Date:  
To: Main PLUG discussion list
Subject: iptables conntrack overflow
I was wondering if anyone had seen this error message appear on console
or in logs:

kernel: ip_conntrack: table full, dropping packet.

This indicates the ip_conntrack module of the iptables firewall code has
run out of slots and is throwing stuff in the bit bucket. As
ip_conntrack is what determines if a packet is related to an existing
session, this is NOT a good message to see. For my system a reboot was
required to restore sane operations.

It was accompanied by a LOT of these messages, which may relate:

kernel: TCP: drop open request from ip.ad.dr.ess/port
kernel: NET: 45 messages suppressed.

So far I've found that the upper limit is set by:

cat /proc/sys/net/ipv4/netfilter/ip_conntrack

(for kernel versions prior to 2.4.23 it's):

cat /proc/sys/net/ipv4/ip_conntrack

The limit on the system cranking out these messages is set at 65536,
which is a default for systems with 1GB or more of RAM. It can be
increased.

I also found a reference (at linuxquestions.org) to the following:

echo "21600"
> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established


This command is supposed to change the timeout for a tracked connection
from the default of 5 days (!) to 6 hours. I am still trying to track
down relevant documentation to confirm that it works as desired.

Has anyone else messed with these? This server is a busy mail relay
that regularly gets hammered by spam -- I suspect that I should drop the
connection timeout value down. I am not sure if the "TCP:" and "NET:"
messages relate -- they occur without the ip_conntrack messages
appearing as well.

Thanks in advance,

--
Richard Wilson
r dot wilson (nine) at cox dot net

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss