On Thursday 29 January 2004 08:55, Radu Voicu wrote:

Yes, you should :)

Did you compiled ip_conntrack onto the kernel??? (NOT as module, but BUILT-IN)?!??! If yes, recompile your kernel with ip_conntrack as module, NOW!!!! :))))

Rikard Johnels wrote:

...

Hi!

Found this in my /var/log/messages:

Jan 25 00:03:07 wall kernel: ip_conntrack: table full, dropping packet.

Shall i be concerned??

It IS as a module: wall:~ # lsmod Module Size Used by nfs 124672 1 (autoclean) lockd 71712 1 (autoclean) [nfs] sunrpc 88016 1 (autoclean) [nfs lockd] iptable_filter 2304 1 (autoclean) ip_conntrack_irc 3840 0 (unused) ip_nat_irc 3744 0 (unused) ipt_MASQUERADE 2000 2 iptable_nat 21472 2 [ip_nat_irc ipt_MASQUERADE] ip_conntrack 20848 2 [ip_conntrack_irc ip_nat_irc ipt_MASQUERADE iptable_nat] ip_tables 17152 5 [iptable_filter ipt_MASQUERADE iptable_nat] Still.. WHAT is happening?? According to my logs it happens once in a while... Oct 2; ip_commtrack (256 buckets, 2048 max) Nov 17; Table full Nov 28; Table full Nov 28; 256 bucket.. Jan 25; Table full What dangers are there?? How do i fix it?? Linux wall 2.4.19 alpha unknown iptables v1.2 -- /Rikard ------------------------------------------------------------------------------------ Rikard Johnels email : rikjoh@norweb.se Web : http://www.rikjoh.com Mob : +46 (0)735 05 51 01 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >

On Thursday 29 January 2004 21:52, Radu Voicu wrote:

please read this:

http://lists.debian.org/debian-firewall/2003/debian-firewall-200303/msg0001 1.html

----- Original Message ----- From: "Rikard Johnels" <rikjoh@norweb.se> To: <suse-linux-e@suse.com> Sent: Thursday, January 29, 2004 10:32 PM Subject: Re: [SLE] kernel: ip_conntrack: table full, dropping packet.

...

On Thursday 29 January 2004 08:55, Radu Voicu wrote:

...

Yes, you should :)

Did you compiled ip_conntrack onto the kernel??? (NOT as module, but BUILT-IN)?!??! If yes, recompile your kernel with ip_conntrack as module, NOW!!!! :))))

Rikard Johnels wrote:

...

Hi!

Found this in my /var/log/messages:

Jan 25 00:03:07 wall kernel: ip_conntrack: table full, dropping packet.

Shall i be concerned??

It IS as a module:

wall:~ # lsmod Module Size Used by nfs 124672 1 (autoclean) lockd 71712 1 (autoclean) [nfs] sunrpc 88016 1 (autoclean) [nfs lockd] iptable_filter 2304 1 (autoclean) ip_conntrack_irc 3840 0 (unused) ip_nat_irc 3744 0 (unused) ipt_MASQUERADE 2000 2 iptable_nat 21472 2 [ip_nat_irc ipt_MASQUERADE] ip_conntrack 20848 2 [ip_conntrack_irc ip_nat_irc

ipt_MASQUERADE

...

iptable_nat] ip_tables 17152 5 [iptable_filter ipt_MASQUERADE

iptable_nat]

...

Still.. WHAT is happening?? According to my logs it happens once in a while...

Oct 2; ip_commtrack (256 buckets, 2048 max) Nov 17; Table full Nov 28; Table full Nov 28; 256 bucket.. Jan 25; Table full

What dangers are there?? How do i fix it??

Linux wall 2.4.19 alpha unknown iptables v1.2

But it still doesnt tell me why. Or how to prevent it. As far as i can see you just prolong the symptom a little if you insert a new number into /proc/sys/net/ipv4/ip_conntrack_max Why does it fill up in the first place.. I dont think i have THAT many connections. /Rikard ------------------------------------------------------------------------------------ Rikard Johnels email : rjhn@linux.nu Web : http://www.rikjoh.com Mob : +46 70 464 99 39 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >