Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Re: [suse-security] still have problems with "kernel: ip_conntrack: table full, dropping packet."
  • From: Ludwig Nussel <ludwig.nussel@xxxxxxx>
  • Date: Mon, 7 Mar 2005 17:29:30 +0100
  • Message-id: <20050307162930.GA22470@xxxxxxx>
Ludwig Nussel wrote:
> Sandu Mihai wrote:
> > Upgrading to SuSE 9.2 will not solve the problem in any way. I had the
> > same problem, and it was solved by removing the ip_conntrack module from
> > that server.
> > I have tryied to bump up the conntrack table size using /etc/sysctl.conf
> > and boot.sysctl, it had no effect whatsoever. The system in question is
> > a SuSE 9.2 Proffesional with the latest patches applied.
> The problem is in our bug tracking system but it's hard to
> reproduce. Can you please post the content of /proc/net/ip_conntrack
> and /proc/net/ip_conntrack_expect when the problem occurs?

To those seeing the problem on SUSE LINUX 9.2: Can you please try
these settings and see if the problem occurs again?

echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
echo 255 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid

This will change the way TCP window tracking works and makes the
kernel log pakets that look suspicious to conntrack.


(o_ Ludwig Nussel
//\ SUSE LINUX Products GmbH, Development

< Previous Next >
Follow Ups