Thursday, December 2, 2010

Linux and nf_conntrack.

When you have messages like this :


Dec  2 13:12:28 VivaLAN kernel: [8768983.190310] nf_conntrack: table full, dropping packet.
Dec  2 13:14:32 VivaLAN kernel: [8769110.070735] nf_conntrack: table full, dropping packet.
Dec  2 13:14:32 VivaLAN kernel: [8769110.082320] nf_conntrack: table full, dropping packet.
Dec  2 13:14:32 VivaLAN kernel: [8769110.082320] nf_conntrack: table full, dropping packet.
Dec  2 13:14:32 VivaLAN kernel: [8769110.086320] nf_conntrack: table full, dropping packet.
Dec  2 13:14:32 VivaLAN kernel: [8769110.089848] nf_conntrack: table full, dropping packet.
Dec  2 13:14:32 VivaLAN kernel: [8769110.094892] nf_conntrack: table full, dropping packet.
Dec  2 13:14:32 VivaLAN kernel: [8769110.099703] nf_conntrack: table full, dropping packet.
Dec  2 13:14:32 VivaLAN kernel: [8769110.119987] nf_conntrack: table full, dropping packet.
Dec  2 13:14:32 VivaLAN kernel: [8769110.127979] nf_conntrack: table full, dropping packet.
Dec  2 13:14:32 VivaLAN kernel: [8769110.138279] nf_conntrack: table full, dropping packet.











you can disable the conntrack : 




iptables -t raw -I OUTPUT -j NOTRACK
iptables -t raw -I PREROUTING -j NOTRACK

The other way when you do not want to disable full contrack you can increase the connections
#cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
65432
#
# echo "130864" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)