Resolving "ip_conntrack: table full, dropping packet" errors
2007-01-10 09:38
555 查看
When enabled through the use of NAT or other stateful inspection rules, netfilter (iptables) under Linux maintains a list of connections passing through the router. Each connection tracking entry contains defined characteristics of the packet, including the source and destination IP address and port number.
The connection tracking entries are ultimately stored in a hash table with a fixed size. By default on an Imagestream router, the hash table can store 8064 entries. For routers with stateful inspection enabled, the number of connections to track may exceed the total number of connections available in the table. If the router reaches the maximum number of connection tracking entries, it will log an error:
each time that it is unable to store an entry in the connection tracking table. Each instance of this message represents a connection that the router has discarded, typically meaning that the user whose connection was dropped must re-establish their connection.
The maximum size of the connection tracking table can be increased. The maximum size value is stored in the router's proc filesystem in the file /proc/sys/net/ipv4/ip_conntrack_max. Increasing the maximum size of the connection tracking table to a value larger than the total number fo connections will eliminate the error message and prevent the router from dropping connections due to a lack of space in the connection tracking table.
Each connection uses approximately 350 bytes of memory, so 16384 connections would allocate 5.7 MB of RAM. In most cases, the default value is sufficient, but ImageStream recommends that operators encountering the "table full" message increase the value to either 16384 or 32768 entries. The default firewall configuration file (/etc/rc.d/rc.firewall, available from the router's Firewall/QoS menu) contains the command to increase this value:
The line is commented out by default, but removing the "#" will result in the router executing the command when loading the firewall rules. The value "16384" can be increased to a larger value if required. ImageStream recommends increasing this value incrementally to conserve memory and to avoid creating an inefficiently large table that remains mostly unused. ImageStream recommends setting a value no higher than 262144. If you set this value and still receive errors, please contact ImageStream support for an evaluation of your firewall
The connection tracking entries are ultimately stored in a hash table with a fixed size. By default on an Imagestream router, the hash table can store 8064 entries. For routers with stateful inspection enabled, the number of connections to track may exceed the total number of connections available in the table. If the router reaches the maximum number of connection tracking entries, it will log an error:
"ip_conntrack: table full, dropping packet"
each time that it is unable to store an entry in the connection tracking table. Each instance of this message represents a connection that the router has discarded, typically meaning that the user whose connection was dropped must re-establish their connection.
The maximum size of the connection tracking table can be increased. The maximum size value is stored in the router's proc filesystem in the file /proc/sys/net/ipv4/ip_conntrack_max. Increasing the maximum size of the connection tracking table to a value larger than the total number fo connections will eliminate the error message and prevent the router from dropping connections due to a lack of space in the connection tracking table.
Each connection uses approximately 350 bytes of memory, so 16384 connections would allocate 5.7 MB of RAM. In most cases, the default value is sufficient, but ImageStream recommends that operators encountering the "table full" message increase the value to either 16384 or 32768 entries. The default firewall configuration file (/etc/rc.d/rc.firewall, available from the router's Firewall/QoS menu) contains the command to increase this value:
############################################################################### # If you have NAT rules and get a "ip_conntrack: table full, dropping packet."# # message in your kernel message log (dmesg), increase the maximum number of # # connections that can be tracked by uncommenting the line below # # Each connection uses ~ 350 bytes of memory. 16384 = 5.7 MB # ############################################################################### #echo 16384 > /proc/sys/net/ipv4/ip_conntrack_max
The line is commented out by default, but removing the "#" will result in the router executing the command when loading the firewall rules. The value "16384" can be increased to a larger value if required. ImageStream recommends increasing this value incrementally to conserve memory and to avoid creating an inefficiently large table that remains mostly unused. ImageStream recommends setting a value no higher than 262144. If you set this value and still receive errors, please contact ImageStream support for an evaluation of your firewall
相关文章推荐
- CentOS ip_conntrack: table full, dropping packet 的解决方法
- Resolving “nf_conntrack: table full, dropping packet.” flood message in dmesg Linux kernel log
- ip_conntrack: table full, dropping packet.
- 用iptables的raw表解决ip_conntrack: table full, dropping packet的问题
- ip_conntrack table full dropping packet解决方案
- ip_conntrack: table full, dropping packet 解决方法
- ip_conntrack: table full, dropping packet
- ip_conntrack table full dropping packet错误的解决方法
- 服务器出现 server kernel: ip_conntrack: table full, dropping packet. 问题
- 用iptables的raw表解决ip_conntrack: table full, dropping packet的问题
- 解决(kernel: ip_conntrack: table full, dropping packet)的方法
- 解决(kernel: ip_conntrack: table full, dropping packet)的方法
- ip_conntrack: table full, dropping packet.解决办法
- kernel: ip_conntrack: table full, dropping packet
- 服务器出现 server kernel: ip_conntrack: table full, dropping packet. 问题
- 用iptables的raw表解决ip_conntrack: table full, dropping packet的问题
- CentOS ip_conntrack: table full, dropping packet 的解决方法
- 系统报错:ip_conntrack: table full, dropping packet.
- 用iptables的raw表解决ip_conntrack: table full, dropping packet的问题
- ip_conntrack: table full, dropping packet的问题