Welcome! Log In Create A New Profile

Advanced

nf_conntrack: table full, dropping packet.

Posted by Hank A. Paulson 
Hank A. Paulson
nf_conntrack: table full, dropping packet.
September 03, 2009 07:10PM
Does anyone know how to get rid of/turn off/kill/remove/exorcise netfilter
and/or conntrack?
I don't use iptables and it seems to cause a lot of overhead.

Does it require a custom compiled kernel?
I am using CentOS and Fedora standard precompiled kernels right now.

Thank you for any help in this frustrating matter.

# lsmod | grep -i ip
ipv6 290320 20

sysctl -a | grep -i netfilter
net.netfilter.nf_conntrack_generic_timeout = 12
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 12
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 12
net.netfilter.nf_conntrack_tcp_timeout_established = 2000
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 12
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 12
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 12
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10
net.netfilter.nf_conntrack_tcp_timeout_close = 8
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 30
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 30
net.netfilter.nf_conntrack_tcp_loose = 1
net.netfilter.nf_conntrack_tcp_be_liberal = 0
net.netfilter.nf_conntrack_tcp_max_retrans = 3
net.netfilter.nf_conntrack_udp_timeout = 12
net.netfilter.nf_conntrack_udp_timeout_stream = 18
net.netfilter.nf_conntrack_icmp_timeout = 8
net.netfilter.nf_conntrack_acct = 1
net.netfilter.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_count = 7645
net.netfilter.nf_conntrack_buckets = 16384
net.netfilter.nf_conntrack_checksum = 1
net.netfilter.nf_conntrack_log_invalid = 0
net.netfilter.nf_conntrack_expect_max = 256
John Lauro
RE: nf_conntrack: table full, dropping packet.
September 03, 2009 07:20PM
service iptables stop
should take care of it in Centos.


Although your lsmod doesn't make sense. It should be showing ip_conntrack
and ip_tables and iptable_filter with a standard Centos and iptables. Even
dm_multipath and others that you are not interested in would be expected...



> -----Original Message-----
> From: Hank A. Paulson [mailto:[email protected]]
> Sent: Thursday, September 03, 2009 1:02 PM
> To: HAproxy Mailing Lists
> Subject: nf_conntrack: table full, dropping packet.
>
> Does anyone know how to get rid of/turn off/kill/remove/exorcise
> netfilter
> and/or conntrack?
> I don't use iptables and it seems to cause a lot of overhead.
>
> Does it require a custom compiled kernel?
> I am using CentOS and Fedora standard precompiled kernels right now.
>
> Thank you for any help in this frustrating matter.
>
> # lsmod | grep -i ip
> ipv6 290320 20
>
> sysctl -a | grep -i netfilter
> net.netfilter.nf_conntrack_generic_timeout = 12
> net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 12
> net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 12
> net.netfilter.nf_conntrack_tcp_timeout_established = 2000
> net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 12
> net.netfilter.nf_conntrack_tcp_timeout_close_wait = 12
> net.netfilter.nf_conntrack_tcp_timeout_last_ack = 12
> net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10
> net.netfilter.nf_conntrack_tcp_timeout_close = 8
> net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 30
> net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 30
> net.netfilter.nf_conntrack_tcp_loose = 1
> net.netfilter.nf_conntrack_tcp_be_liberal = 0
> net.netfilter.nf_conntrack_tcp_max_retrans = 3
> net.netfilter.nf_conntrack_udp_timeout = 12
> net.netfilter.nf_conntrack_udp_timeout_stream = 18
> net.netfilter.nf_conntrack_icmp_timeout = 8
> net.netfilter.nf_conntrack_acct = 1
> net.netfilter.nf_conntrack_max = 1048576
> net.netfilter.nf_conntrack_count = 7645
> net.netfilter.nf_conntrack_buckets = 16384
> net.netfilter.nf_conntrack_checksum = 1
> net.netfilter.nf_conntrack_log_invalid = 0
> net.netfilter.nf_conntrack_expect_max = 256
>
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.5.409 / Virus Database: 270.13.73/2338 - Release Date:
> 09/03/09 05:50:00
Hank A. Paulson
Re: nf_conntrack: table full, dropping packet.
September 03, 2009 08:20PM
# lsmod
Module Size Used by
xen_netfront 19808 0
pcspkr 2848 0
xen_blkfront 12404 2

# cat /proc/net/nf_conntrack | wc -l
50916

# service iptables stop
(it was never started)

# cat /proc/net/nf_conntrack | wc -l
65358

This is Fedora, sorry, not CentOS.

the only other thing running is keepalived to manage the ip address for haproxy.

On 9/3/09 10:16 AM, John Lauro wrote:
> service iptables stop
> should take care of it in Centos.
>
>
> Although your lsmod doesn't make sense. It should be showing ip_conntrack
> and ip_tables and iptable_filter with a standard Centos and iptables. Even
> dm_multipath and others that you are not interested in would be expected...
>
>
>
>> -----Original Message-----
>> From: Hank A. Paulson [mailto:[email protected]]
>> Sent: Thursday, September 03, 2009 1:02 PM
>> To: HAproxy Mailing Lists
>> Subject: nf_conntrack: table full, dropping packet.
>>
>> Does anyone know how to get rid of/turn off/kill/remove/exorcise
>> netfilter
>> and/or conntrack?
>> I don't use iptables and it seems to cause a lot of overhead.
>>
>> Does it require a custom compiled kernel?
>> I am using CentOS and Fedora standard precompiled kernels right now.
>>
>> Thank you for any help in this frustrating matter.
>>
>> # lsmod | grep -i ip
>> ipv6 290320 20
>>
>> sysctl -a | grep -i netfilter
>> net.netfilter.nf_conntrack_generic_timeout = 12
>> net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 12
>> net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 12
>> net.netfilter.nf_conntrack_tcp_timeout_established = 2000
>> net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 12
>> net.netfilter.nf_conntrack_tcp_timeout_close_wait = 12
>> net.netfilter.nf_conntrack_tcp_timeout_last_ack = 12
>> net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10
>> net.netfilter.nf_conntrack_tcp_timeout_close = 8
>> net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 30
>> net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 30
>> net.netfilter.nf_conntrack_tcp_loose = 1
>> net.netfilter.nf_conntrack_tcp_be_liberal = 0
>> net.netfilter.nf_conntrack_tcp_max_retrans = 3
>> net.netfilter.nf_conntrack_udp_timeout = 12
>> net.netfilter.nf_conntrack_udp_timeout_stream = 18
>> net.netfilter.nf_conntrack_icmp_timeout = 8
>> net.netfilter.nf_conntrack_acct = 1
>> net.netfilter.nf_conntrack_max = 1048576
>> net.netfilter.nf_conntrack_count = 7645
>> net.netfilter.nf_conntrack_buckets = 16384
>> net.netfilter.nf_conntrack_checksum = 1
>> net.netfilter.nf_conntrack_log_invalid = 0
>> net.netfilter.nf_conntrack_expect_max = 256
>>
>>
>>
>> No virus found in this incoming message.
>> Checked by AVG - www.avg.com
>> Version: 8.5.409 / Virus Database: 270.13.73/2338 - Release Date:
>> 09/03/09 05:50:00
>
John Lauro
RE: nf_conntrack: table full, dropping packet.
September 03, 2009 09:10PM
I haven't used fedora much recently. Looks it's compiled into the kernel
instead of as a module with fedora, so I think you would have to do a custom
kernel to disable the connection tracking. (or switch distros)


> -----Original Message-----
> From: Hank A. Paulson [mailto:[email protected]]
> Sent: Thursday, September 03, 2009 2:15 PM
> To: 'HAproxy Mailing Lists'
> Subject: Re: nf_conntrack: table full, dropping packet.
>
> # lsmod
> Module Size Used by
> xen_netfront 19808 0
> pcspkr 2848 0
> xen_blkfront 12404 2
>
> # cat /proc/net/nf_conntrack | wc -l
> 50916
>
> # service iptables stop
> (it was never started)
>
> # cat /proc/net/nf_conntrack | wc -l
> 65358
>
> This is Fedora, sorry, not CentOS.
>
> the only other thing running is keepalived to manage the ip address for
> haproxy.
>
> On 9/3/09 10:16 AM, John Lauro wrote:
> > service iptables stop
> > should take care of it in Centos.
> >
> >
> > Although your lsmod doesn't make sense. It should be showing
> ip_conntrack
> > and ip_tables and iptable_filter with a standard Centos and iptables.
> Even
> > dm_multipath and others that you are not interested in would be
> expected...
> >
> >
> >
> >> -----Original Message-----
> >> From: Hank A. Paulson [mailto:[email protected]]
> >> Sent: Thursday, September 03, 2009 1:02 PM
> >> To: HAproxy Mailing Lists
> >> Subject: nf_conntrack: table full, dropping packet.
> >>
> >> Does anyone know how to get rid of/turn off/kill/remove/exorcise
> >> netfilter
> >> and/or conntrack?
> >> I don't use iptables and it seems to cause a lot of overhead.
> >>
> >> Does it require a custom compiled kernel?
> >> I am using CentOS and Fedora standard precompiled kernels right now.
> >>
> >> Thank you for any help in this frustrating matter.
> >>
> >> # lsmod | grep -i ip
> >> ipv6 290320 20
> >>
> >> sysctl -a | grep -i netfilter
> >> net.netfilter.nf_conntrack_generic_timeout = 12
> >> net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 12
> >> net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 12
> >> net.netfilter.nf_conntrack_tcp_timeout_established = 2000
> >> net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 12
> >> net.netfilter.nf_conntrack_tcp_timeout_close_wait = 12
> >> net.netfilter.nf_conntrack_tcp_timeout_last_ack = 12
> >> net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10
> >> net.netfilter.nf_conntrack_tcp_timeout_close = 8
> >> net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 30
> >> net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 30
> >> net.netfilter.nf_conntrack_tcp_loose = 1
> >> net.netfilter.nf_conntrack_tcp_be_liberal = 0
> >> net.netfilter.nf_conntrack_tcp_max_retrans = 3
> >> net.netfilter.nf_conntrack_udp_timeout = 12
> >> net.netfilter.nf_conntrack_udp_timeout_stream = 18
> >> net.netfilter.nf_conntrack_icmp_timeout = 8
> >> net.netfilter.nf_conntrack_acct = 1
> >> net.netfilter.nf_conntrack_max = 1048576
> >> net.netfilter.nf_conntrack_count = 7645
> >> net.netfilter.nf_conntrack_buckets = 16384
> >> net.netfilter.nf_conntrack_checksum = 1
> >> net.netfilter.nf_conntrack_log_invalid = 0
> >> net.netfilter.nf_conntrack_expect_max = 256
> >>
> >>
> >>
> >> No virus found in this incoming message.
> >> Checked by AVG - www.avg.com
> >> Version: 8.5.409 / Virus Database: 270.13.73/2338 - Release Date:
> >> 09/03/09 05:50:00
> >
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.5.409 / Virus Database: 270.13.73/2338 - Release Date:
> 09/03/09 05:50:00
Sorry, only registered users may post in this forum.

Click here to login