Solutions to nf_conntrack: Table full, dropping Packet

Solutions to nf_conntrack: Table full, dropping Packet

Nf_conntrack works on Layer 3 and supports IPv4 and IPv6, while ip_conntrack only supports IPv4.Currently, most ip_conntrack _ * has been replaced by nf_conntrack _ *. Many ip_conntrack _ * are only alias. The original ip_conntrack/proc/sys/NET/IPv4/Netfilter/still exists, however, the new nf_conntrack is in/proc/sys/NET/Netfilter/, which should be backward compatible:

$ Pwd

/Proc/sys/NET/IPv4/Netfilter

$ Pwd

/Proc/sys/NET/Netfilter

View the current number of connections:

# Grep ip_conntrack/proc/slabinfo

Ip_conntrack 38358 64324 304 13 1: tunables 54 27 8: slabdata 4948 4948

Find the current ranking of ip_conntrack:

$ CAT/proc/NET/ip_conntrack | cut-D ''-f 10 | cut-d' = '-F 2 | sort | uniq-c | sort-Nr | head- N 10

Nf_conntrack/ip_conntrack is related to Nat and used to track connection entries. It uses a hash table to record established records. Nf_conntrack was introduced in 2.6.15, while ip_conntrack was removed in 2.6.22. If the hash table is full, the following error occurs:

Nf_conntrack: Table full, dropping Packet

There are several ways to solve this problem.

1. Do not use the nf_conntrack Module

First, remove the state module because the nf_conntrack module needs to be loaded. Make sure that the iptables rule does not contain a rule similar to the state module. If yes, remove it:

-A input-M State-State related, established-J accept

Note:

Iptables_modules = "ip_conntrack_netbios_ns"

Remove the nf_conntrack module:

$ Sudo modprobe-r xt_notrack nf_conntrack_netbios_ns nf_conntrack_ipv4 xt_state

$ Sudo modprobe-r nf_conntrack

Now there should be no nf_conntrack in/proc/NET.

2. Adjust the parameters below/proc/

You can increase the number of conntrack entries (sessions, connection tracking entries), or increase the size of the hash table storing conntrack entries (hashsize ).

By default, conntrack_max and hashsize calculate a reasonable value based on the system memory size:

For conntrack_max, the formula is as follows:

Conntrack_max = ramsize (in bytes)/16384/(ARCH/32)

For example, a 64-bit 48g machine can simultaneously process 48*1024 ^ 3/16384/2 = 1572864 netfilter connections. For systems larger than 1 GB of memory, the default conntrack_max is 65535.

For hashsize, the conversion relationship is as follows by default:

Conntrack_max = hashsize * 8

This indicates that each link list has an average of 8 conntrack entries. The formula is as follows:

Hashsize = conntrack_max/8 = ramsize (in bytes)/131072/(ARCH/32)

For example, a 64-bit 48g machine can store 48*1024 ^ 3/131072/2 = 196608 buckets (connection list ). For systems larger than 1 GB of memory, the default hashsize is 8192.

You can use echo to directly modify the values of the current system conntrack_max and hashsize:

$ Sudo Su-c "Echo 100000>/proc/sys/NET/Netfilter/nf_conntrack_max"

$ Sudo Su-c "Echo 50000>/proc/sys/NET/Netfilter/nf_conntrack_buckets"

You can also shorten the value of Timeout:

$ Sudo Su-c "Echo 600>/proc/sys/NET/IPv4/Netfilter/ip_conntrack_tcp_timeout_established"

3. Use raw tables without tracking connections

The raw table in iptables is related to the tracking of packets. It is used to mark packets that do not need to be tracked through notrack. That is to say, if a connection encounters-J notrack, conntrack does not track the connection. Raw has a higher priority than mangle, Nat, and filter, including prerouting and output chains.

When-t Raw is executed, the system automatically loads the iptable_raw module (which must exist ). Raw does not exist in kernels earlier than 2.4 and 2.6. Unless patch is installed, the current system should support:

$ Sudo iptables-a forward-M state -- state untracked-J accept

$ Sudo iptables-t Raw-A prerouting-p tcp-M multiport -- dport 80, 81, 82-J notrack

$ Sudo iptables-t Raw-A prerouting-p tcp-M multiport -- Sport 80, 81, 82-J notrack

The above three methods are the most effective: 1 and 3, and the second is the permanent cure.

Original

Http://jaseywang.me/2012/08/16/%E8%A7%A3%E5%86%B3-nf_conntrack-table-full-dropping-packet-%E7%9A%84%E5%87%A0%E7%A7%8D%E6%80%9D%E8%B7%AF/

Linux source code library

Http://www.oschina.net/code/explore/pf-kernel/net/netfilter/nf_conntrack_core.c

Ref:

Http://www.digipedia.pl/usenet/thread/16263/7806/

Http://serverfault.com/questions/72366/how-do-i-disable-the-nf-conntrack-kernel-module-in-centos-5-3-without-recompilin

Http://wiki.khnet.info/index.php/Conntrack_tuning