Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Re: [suse-security] still have problems with "kernel: ip_conntrack: table full, dropping packet."
  • From: Sven 'Darkman' Michels <sven@xxxxxxxxxx>
  • Date: Wed, 09 Mar 2005 11:03:48 +0100
  • Message-id: <422ECA04.2020806@xxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there,

Ralf Ronneburger wrote:

| do you have an ftp-server behind the box? What I found out for SuSE 9.0
| is, that ftp-connections through the firewall boost up the
| connection-usage. Besides you can find out, how close you are to the
| "kernel: ip_conntrack: table full, dropping packet." messages, when you
| check the following:
|
| linux:~ # cat /proc/slabinfo | grep ip_conntrack
| ip_conntrack 32566 32772 320 2729 2731 1
| linux:~ # cat /proc/sys/net/ipv4/ip_conntrack_max
| 32760
|
| Once the the number of currently active objects (in this case 32566)
| gets up to the number configured in ip_conntrack_max, then you'll get
| the "dropping packet"-message in /var/log/messages and then afaik all
| you can do is reboot.

nope, you can raise the number of possible conntrack entries. It depends
on how much ram your box have but usually doubleing the value is no
problem. Simply do:
echo 65520 > /proc/sys/net/ipv4/ip_conntrack_max
(or if unsure about ram usage, make it just 1.5 or so)

This fixes this issue temporarly cause after reboot the default value
depending on your system memory is calculated and used. So after reboot
you need to do the echo again.

Regards,
Sven
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFCLsoDQoCguWUBzBwRAjsvAKCZC1LZfxDtw0oHW4cEF/31smh9VwCfQpw7
8DZJnxPmiLNKB3YfwQ4FyAE=
=AnkC
-----END PGP SIGNATURE-----

< Previous Next >