Nf_conntrack solution, nf_conntrack

Nf_conntrack solution, nf_conntrack
1. symptom

The following information appears in/var/log/message:

Dec  8 11:22:29 product08 kernel: nf_conntrack: table full, dropping packet.Dec  8 11:22:29 product08 kernel: nf_conntrack: table full, dropping packet.

2. What is nf_conntrack?

Nf_conntrack (ip_conntrack in earlier Linux kernels) is a kernel module used to track the status of a connection. Connection status tracking can be used by other modules. The two most common scenarios are the nat state module of iptables.
Iptables nat uses rules to modify the destination/source address, but the address cannot be modified only. We also need to allow the returned packets to be routed to the original source host. This requires the help of nf_conntrack to find the original connection record.
The state module directly uses the connection status recorded in nf_conntrack to match user-defined rules. For example, the following INPUT rule is used to allow packets in the NEW connection state on port 80.

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

3. solution (1) Disable iptables first

/Etc/init. d/iptables stop

(2) view the current number of connections:

# Grep nf_conntrack/proc/slabinfo

(3) identify the current ranking of nf_conntrack:

$ Cat/proc/net/nf_conntrack | cut-d ''-f 10 | cut-d' = '-f 2 | sort | uniq-c | sort-nr | head- n 10

(4) optimization parameters

Set the maximum number of rows in the state tracking table. The theoretical maximum value is CONNTRACK_MAX = RAMSIZE (in bytes)/16384/(ARCH/32)
Taking a 64-bit 64-GB operating system as an example, CONNTRACK_MAX = 64*1024*1024*1024/16384/2 = 2097152

To take effect immediately, execute:
Sysctl-w net. netfilter. nf_conntrack_max = 524288 (16G)

The size of the hash table is usually 1/8 of the total table, and the maximum is 1/2. CONNTRACK_BUCKETS = CONNTRACK_MAX/8
For 64-bit 64-bit operating systems of the same 64 GB, the optimal hash range is 262144 ~ 1048576.

Run the sysctl net. netfilter. nf_conntrack_buckets command to check the running status, and set it through the file/sys/module/nf_conntrack/parameters/hashsize.
Or create/etc/modprobe. d/iptables. conf and reload the module:
Options nf_conntrack hashsize = 262144

Some related system parameters 'sysctl-a | grep nf_conntrack' can be optimized (/etc/sysctl. conf ):
Net. netfilter. nf_conntrack_max = 1048576
Net. netfilter. ip_conntrack_tcp_timeout_established = 3600
Net. netfilter. nf_conntrack_tcp_timeout_close_wait = 60
Net. netfilter. nf_conntrack_tcp_timeout_fin_wait = 120
Net. netfilter. nf_conntrack_tcp_timeout_time_wait = 120

(5) Allow iptables

iptables -t raw -A PREROUTING -p tcp -m multiport --dports 80,15000 -j NOTRACK
iptables -t raw -A PREROUTING -p tcp -m multiport --sports 80,15000 -j NOTRACK
iptables -t raw -A OUTPUT -p tcp -m multiport --dports 80,15000 -j NOTRACK
iptables -t raw -A OUTPUT -p tcp -m multiport --sports 80,15000 -j NOTRACK