Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Re: [suse-security] still have problems with "kernel: ip_conntrack: table full, dropping packet."
Or you can update your /etc/sysctl.conf file so the change is permenant
----- Original Message ----- From: "Sven 'Darkman' Michels" <sven@xxxxxxxxxx>
To: <suse-security@xxxxxxxx>
Sent: Wednesday, March 09, 2005 4:03 AM
Subject: Re: [suse-security] still have problems with "kernel: ip_conntrack: table full, dropping packet."

Hash: SHA1

Hi there,

Ralf Ronneburger wrote:

| do you have an ftp-server behind the box? What I found out for SuSE 9.0
| is, that ftp-connections through the firewall boost up the
| connection-usage. Besides you can find out, how close you are to the
| "kernel: ip_conntrack: table full, dropping packet." messages, when you
| check the following:
| linux:~ # cat /proc/slabinfo | grep ip_conntrack
| ip_conntrack 32566 32772 320 2729 2731 1
| linux:~ # cat /proc/sys/net/ipv4/ip_conntrack_max
| 32760
| Once the the number of currently active objects (in this case 32566)
| gets up to the number configured in ip_conntrack_max, then you'll get
| the "dropping packet"-message in /var/log/messages and then afaik all
| you can do is reboot.

nope, you can raise the number of possible conntrack entries. It depends
on how much ram your box have but usually doubleing the value is no
problem. Simply do:
echo 65520 > /proc/sys/net/ipv4/ip_conntrack_max
(or if unsure about ram usage, make it just 1.5 or so)

This fixes this issue temporarly cause after reboot the default value
depending on your system memory is calculated and used. So after reboot
you need to do the echo again.

Version: GnuPG v1.2.2 (GNU/Linux)


Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.7.0 - Release Date: 3/8/2005

< Previous Next >