Linux UDP sendto error:operation not permitted solution __linux

Source: Internet
Author: User
Tags iptables

This problem occurs in the context of multi-threaded communication under Linux, where multiple threads on a device send UDP messages to the same port of the same IP address, and appear after the program has been working for a period of time. and the number of packets sent is larger, so guess the connection tracking table is full, resulting in packet loss. So look for data, using the following methods:

Iptables-a forward-m State--state untracked-j ACCEPT
Iptables-t raw-a prerouting-p tcp-m multiport--dport 9001,9000,9002-j notrack
Iptables-t raw-a prerouting-p tcp-m multiport--sport 9001,9000,9002-j notrack


9000, 9001, 9002 are the ports used in the program.


Several ideas of solving nf_conntrack:table full, dropping packet

Nf_conntrack works on the 3 floor, supports IPV4 and IPV6, while Ip_conntrack only supports IPV4. At present, most of the ip_conntrack_* has been replaced by nf_conntrack_*, many ip_conntrack_* is only an alias, the original Ip_conntrack/proc/sys/net/ipv4/netfilter/ still exists, but the new nf_conntrack in/proc/sys/net/netfilter/, this should be a downward compatibility:

$ pwd

/proc/sys/net/ipv4/netfilter

$ pwd

/proc/sys/net/netfilter

To view the current number of connections:

# grep Ip_conntrack/proc/slabinfo

Ip_conntrack 38358 64324 304 1:tunables 4948 4948 216

Find out the current ranking of Ip_conntrack:

$ cat/proc/net/ip_conntrack | Cut-d '-F 10 | cut-d ' = '-F 2 | Sort | uniq-c | Sort-nr | Head-n 10

Nf_conntrack/ip_conntrack is related to NAT, used to track connection entries, and it uses a hash table to record established records. Nf_conntrack is introduced in 2.6.15, and Ip_conntrack is removed in 2.6.22, and if the hash table is full, it appears:

Nf_conntrack:table full, dropping packet

There are several ways to solve this problem.

1. Do not use the Nf_conntrack module

You first need to remove the state module, because the nf_conntrack is required to be loaded using the module. Ensure that no rules like the state module appear in the Iptables rule and remove it if available:

-A input-m state–state related,established-j ACCEPT

Annotation in/etc/sysconfig/iptables-config:

Iptables_modules= "Ip_conntrack_netbios_ns"

To remove the Nf_conntrack module:

$ sudo modprobe-r xt_notrack nf_conntrack_netbios_ns nf_conntrack_ipv4 xt_state

$ sudo modprobe-r nf_conntrack

Now there should be no nf_conntrack under the/proc/net/.

2. Adjust the parameters below/proc/

You can increase the Conntrack entries (sessions, connection tracking entries) Conntrack_max or increase the size of the storage Conntrack entry hash table hashsize

By default, Conntrack_max and hashsize calculate a reasonable value based on the size of the system's memory:

For Conntrack_max, its calculation formula:

Conntrack_max = ramsize (in bytes)/16384/(ARCH/32)

For example, a 64-bit 48G machine can handle 48*1024^3/16384/2 = 1,572,864 netfilter connections at the same time. For systems larger than 1G of memory, the default Conntrack_max is 65535.

For Hashsize, this conversion relationship is the default:

Conntrack_max = hashsize * 8

This means that there are an average of 8 conntrack entries in each link list. The real formula is as follows:

Hashsize = CONNTRACK_MAX/8 = Ramsize (in bytes)/131072/(ARCH/32)

For example, a 64-bit 48G machine can store 48*1024^3/131072/2 = 196608 buckets (connection list). For systems larger than 1G of memory, the default hashsize is 8192.

You can modify the current system Conntrack_max and hashsize values directly through Echo:

$ sudo su-c "echo 100000 >/proc/sys/net/netfilter/nf_conntrack_max"

$ sudo su-c "echo 50000 >/proc/sys/net/netfilter/nf_conntrack_buckets"

You can also shorten the value of timeout:

$ sudo su-c "echo >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established"

3. Use raw table, do not track connection

Iptables in the raw table Chongbao tracking, basically is used to do one thing, through the notrack to not need to be linked to the tracking of the packet marking, that is, if a connection encountered-j Notrack,conntrack will not track the connection, raw priority is greater than Mangle, NAT, filter, contains prerouting and OUTPUT chains.

When you execute-t raw, the system automatically loads the Iptable_raw module (which requires that the module exists). Raw in 2.4

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.