Ip_conntrack error handling and principles

Ip_conntrack: table full, dropping packet

The following error occurs on the server (/var/log/messages ):

ip_conntrack: table full, dropping packet.

I checked some information, because iptables is used, the number of connections on the server is too large, and the kernelConnection Tracking System (conntrack)There is not enough space to store the connection information. The solution is to increase the space.

View the current size:

 $ sysctl net.ipv4.netfilter.ip_conntrack_max net.ipv4.netfilter.ip_conntrack_max = 65535

Increase the space. Modify/etc/sysctl. conf or add the following content:

 net.ipv4.netfilter.ip_conntrack_max = 655350

Effective:

 $ sysctl -p

So what isConnection Tracking System (conntrack), How it works, and what is the relationship with iptables. In order to find out these problems, I checked some information and sorted it out as follows.

Netfilter

Netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.1

Simply put,Netfilter FrameworkThrough a series of hooks on the Linux network protocol stack, a mechanism is provided to enable the kernel module to register some callback functions in the network stack, transmission of each network package passes through these callback functions.

Iptables is a set of tools based on the Netfilter Framework and runs in the user State to configure filtering rules for network packets. Because the chains and hooks of iptables have the same name as the Netfilter Framework, iptables is only a tool on the Netfilter Framework.

The Hooks and Callback Function

Netfilter inserts five hooks into the Linux network stack to process packets at different stages.

1. • PREROUTING: All packages will be included in this hook before routing. DNAT is implemented at this layer.LOCAL INPUT: All packages to enter the local machine are hooked.FORWARD: Do not enter the local package through this hook.LOCAL OUTPUT: The package that leaves the local machine goes through this hook.POSTROUTING: After the route is passed through the hook, the SNAT is implemented at this layer. All packets sent from the local machine must go through this hook.

     NF_IP_PRE_ROUTING              NF_IP_FORWARD       NF_IP_POST_ROUTING      [1]      ====> ROUTER ====>    [3]    =============> [4]                       ||                        /\                       ||                        ||                       ||                      ROUTER                       \/                        ||                      [2] ===> LOCAL PROCESS ===>[5]                NF_IP_LOCAL_IN              NF_IP_LOCAL_OUT

     You can register the callback function on a hook. The following value is returned for callback:

     • ACCEPTDROPQUEUE: Upload the package to the user space through nf_queue; STOLEN: Silently holds the packet until something happens, so that it temporarily does not continue to travel through the stack. This is usually used to collectDefragmented IP packets. That is to say, the packet transmission is paused until a certain piece occurs. REPEAT: forces the package to go through the hook again;

       In short, Netfilter Framework provides a Framework to filter packets at different stages of packet transmission through callback functions.

       As mentioned above, "defragmented IP packets", Wikipedia explains as follows;

       The Internet Protocol (IP) implements datatefragmentation, breaking it into smaller pieces, so that packets may be formed that can pass through a link with a smaller maximum transmission unit (MTU) than the original datatesize.

       Simply put, if the packet length is greater than the MTU size, the packet will be split and packed in multiple smaller packets for transmission.

       The Connection Tracking System and the Stateful inspection

       Connection Tracking System, which is the module that provides stateful packet inspection for iptables.

       Basically, the connection tracking system stores information about the state of a connection in a memory structure that contains the source and destination IP addresses, port number pairs, protocol types, state, and timeout. with this extra information, we can define more intelligent filtering policies. connection tracking system just tracks packets; it does not filter. (Netfilter's connection tracking system)

       Connection status

       In the conntrack system, a connection may be in the following status:

       • NEW: the connection is being ESTABLISHED. For example, for a TCP connection, a SYN packet is received. ESTABLISHED: the connection has been ESTABLISHED. You can see the "connecting" package; RELATED: the connected connection; INVALID: invalid;

         Therefore, even for stateless protocols such as UDP, Connection Tracking System is also stateful.

         Implementation

         The conntrack system mainly uses a hash table to retrieve and query data. Each item in the table is a double-stranded table. (Each bucket has a double-linked list of hash tuples .) A connection has two hash tuples, one is "Lai" (the packet comes from the party that establishes the connection), and the other is "back. Each tuple stores information about the connection. The two tuple are organized in the nf_conn structure, which indicates the status of a connection.

         The Hash value in the hash table is calculated based on the protocol information of Layer 3 and Layer 4, and a random amount is introduced to prevent attacks. A conntrack table has a maximum capacity. When the table is full, it selects the earliest conntrack discarded.

         The callback function nf_conntrack_in is registered on the PREROUTING hook. It checks the validity of the package and queries the table to determine which conntrack the package belongs to. If not, A new conntrack will be created, and the confirmed Mark is not set. The nf_conntrack_cofirm function registered on the local input and POSTROUTING sets the confirmed flag of a conntrack. For the packets that enter the local machine or forward, the two hooks are the final hooks of the packets. If the packets are not discarded yet, set the confirmed bit and add the new conntrack to the hash table.

         Helpers and Expectation

         Some application-layer protocols are not easily tracked, such as the passive mode of FTP. Port 21 is used for control, and a random port is used to obtain data. The two connections are associated with the user (related ).

         The Conntrack system provides a mechanism called helper, which allows the system to determine whether a connection is related to an existing connection. The modified mechanism is definedExpectationExpectation refers to the connection that appears in an expected period of time. For FTP, helper searches for information about the data transmission port in the returned packet. if it finds the information, an expectation is created and inserted into the list of expectation.

         When a conntrack is created, the conntrack system first looks for whether there is a matching expectation. If not, helper is used for this connection. If a matched expectation is found, the new conntrack will be associated with the conntrack that created the expectation.

         March

         References:

         1. Http://www.netfilter.org/Netfilter's connection tracking system