Or you can update your /etc/sysctl.conf file so the change is permenant ----- Original Message ----- From: "Sven 'Darkman' Michels" <sven@darkman.de> To: <suse-security@suse.com> Sent: Wednesday, March 09, 2005 4:03 AM Subject: Re: [suse-security] still have problems with "kernel: ip_conntrack: table full, dropping packet."
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi there,
Ralf Ronneburger wrote:
| do you have an ftp-server behind the box? What I found out for SuSE 9.0 | is, that ftp-connections through the firewall boost up the | connection-usage. Besides you can find out, how close you are to the | "kernel: ip_conntrack: table full, dropping packet." messages, when you | check the following: | | linux:~ # cat /proc/slabinfo | grep ip_conntrack | ip_conntrack 32566 32772 320 2729 2731 1 | linux:~ # cat /proc/sys/net/ipv4/ip_conntrack_max | 32760 | | Once the the number of currently active objects (in this case 32566) | gets up to the number configured in ip_conntrack_max, then you'll get | the "dropping packet"-message in /var/log/messages and then afaik all | you can do is reboot.
nope, you can raise the number of possible conntrack entries. It depends on how much ram your box have but usually doubleing the value is no problem. Simply do: echo 65520 > /proc/sys/net/ipv4/ip_conntrack_max (or if unsure about ram usage, make it just 1.5 or so)
This fixes this issue temporarly cause after reboot the default value depending on your system memory is calculated and used. So after reboot you need to do the echo again.
Regards, Sven -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQFCLsoDQoCguWUBzBwRAjsvAKCZC1LZfxDtw0oHW4cEF/31smh9VwCfQpw7 8DZJnxPmiLNKB3YfwQ4FyAE= =AnkC -----END PGP SIGNATURE-----
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.7.0 - Release Date: 3/8/2005