I was wondering if anyone had seen this error message appear on console
or in logs:
kernel: ip_conntrack: table full, dropping packet.
This indicates the ip_conntrack module of the iptables firewall code has
run out of slots and is throwing stuff in the bit bucket. As
ip_conntrack is what determines if a packet is related to an existing
session, this is NOT a good message to see. For my system a reboot was
required to restore sane operations.
It was accompanied by a LOT of these messages, which may relate:
kernel: TCP: drop open request from ip.ad.dr.ess/port
kernel: NET: 45 messages suppressed.
So far I've found that the upper limit is set by:
cat /proc/sys/net/ipv4/netfilter/ip_conntrack
(for kernel versions prior to 2.4.23 it's):
cat /proc/sys/net/ipv4/ip_conntrack
The limit on the system cranking out these messages is set at 65536,
which is a default for systems with 1GB or more of RAM. It can be
increased.
I also found a reference (at linuxquestions.org) to the following:
echo "21600"
> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
This command is supposed to change the timeout for a tracked connection
from the default of 5 days (!) to 6 hours. I am still trying to track
down relevant documentation to confirm that it works as desired.
Has anyone else messed with these? This server is a busy mail relay
that regularly gets hammered by spam -- I suspect that I should drop the
connection timeout value down. I am not sure if the "TCP:" and "NET:"
messages relate -- they occur without the ip_conntrack messages
appearing as well.
Thanks in advance,
--
Richard Wilson
r dot wilson (nine) at cox dot net
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)