From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christian Hammers Subject: filtering asym. routing without "ip_conntrack: table full"? Date: Tue, 14 Jan 2003 10:37:11 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <20030114093711.GC9940@westend.com> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: Content-Disposition: inline Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1" To: netfilter@lists.netfilter.org Hello I have a border router that does dynamic and asymetric routing. Now, after upgrading from 2.4.19 to 2.4.20 yesterday I got the following=20 message in my syslog twice this night: kernel: ip_conntrack: table full, dropping packet. The /proc/net/ip_conntrack table has 36911 entries, mostly all [UNREPLIED]. I'm now wondering, why ip_conntrack comes into play at all - I'm thought, I was using it only for my INPUT table but the connections in /proc/net/ip_conntrack are definitely ones that are going from one ethX to another ethX getting filtered only in FORWARD and only by source and=20 destination IP. /proc/sys/net/ipv4/ip_conntrack_max was at 32767 and has now temporarily=20 raised to 65520 although I don't want to have conntrack for forwarding at all.=20 Oh, it's grown to 36911 while typing, so I be happy about answers :) bye, -christian- # free total used free shared buffers cached Mem: 516548 274016 242532 0 12500 128248 -/+ buffers/cache: 133268 383280 # lsmod=20 Module Size Used by Not tainted ipt_state 608 1 (autoclean) ipt_LOG 3200 2 (autoclean) ip_nat_ftp 3424 0 (unused) iptable_nat 19348 1 [ip_nat_ftp] ip_conntrack_ftp 4096 1 [ip_nat_ftp] iptable_filter 1760 1 (autoclean) ip_tables 13184 6 [ipt_state ipt_LOG iptable_nat iptable_fi= lter] dummy 1088 1=20 eepro100 18444 3=20 mii 2320 0 [eepro100] rtc 6012 0 (autoclean) unix 13892 16 (autoclean) relevant Kernel config: # # Networking options # CONFIG_PACKET=3Dy CONFIG_PACKET_MMAP=3Dy CONFIG_NETLINK_DEV=3Dm CONFIG_NETFILTER=3Dy CONFIG_NETFILTER_DEBUG=3Dy CONFIG_FILTER=3Dy CONFIG_UNIX=3Dm CONFIG_INET=3Dy CONFIG_IP_MULTICAST=3Dy CONFIG_IP_ADVANCED_ROUTER=3Dy CONFIG_IP_MULTIPLE_TABLES=3Dy CONFIG_IP_ROUTE_FWMARK=3Dy # CONFIG_IP_ROUTE_NAT is not set CONFIG_IP_ROUTE_MULTIPATH=3Dy CONFIG_IP_ROUTE_TOS=3Dy CONFIG_IP_ROUTE_VERBOSE=3Dy CONFIG_IP_ROUTE_LARGE_TABLES=3Dy # CONFIG_IP_PNP is not set CONFIG_NET_IPIP=3Dm CONFIG_NET_IPGRE=3Dm CONFIG_NET_IPGRE_BROADCAST=3Dy CONFIG_IP_MROUTE=3Dy CONFIG_IP_PIMSM_V1=3Dy CONFIG_IP_PIMSM_V2=3Dy CONFIG_ARPD=3Dy # CONFIG_INET_ECN is not set CONFIG_SYN_COOKIES=3Dy # # IP: Netfilter Configuration # CONFIG_IP_NF_CONNTRACK=3Dy CONFIG_IP_NF_FTP=3Dm CONFIG_IP_NF_IRC=3Dm CONFIG_IP_NF_QUEUE=3Dm CONFIG_IP_NF_IPTABLES=3Dm CONFIG_IP_NF_MATCH_LIMIT=3Dm CONFIG_IP_NF_MATCH_MAC=3Dm CONFIG_IP_NF_MATCH_PKTTYPE=3Dm CONFIG_IP_NF_MATCH_MARK=3Dm CONFIG_IP_NF_MATCH_MULTIPORT=3Dm CONFIG_IP_NF_MATCH_TOS=3Dm CONFIG_IP_NF_MATCH_ECN=3Dm CONFIG_IP_NF_MATCH_DSCP=3Dm # CONFIG_IP_NF_MATCH_AH_ESP is not set CONFIG_IP_NF_MATCH_LENGTH=3Dm CONFIG_IP_NF_MATCH_TTL=3Dm CONFIG_IP_NF_MATCH_TCPMSS=3Dm CONFIG_IP_NF_MATCH_HELPER=3Dm CONFIG_IP_NF_MATCH_STATE=3Dm CONFIG_IP_NF_MATCH_CONNTRACK=3Dm CONFIG_IP_NF_MATCH_UNCLEAN=3Dm CONFIG_IP_NF_MATCH_OWNER=3Dm CONFIG_IP_NF_FILTER=3Dm CONFIG_IP_NF_TARGET_REJECT=3Dm CONFIG_IP_NF_TARGET_MIRROR=3Dm CONFIG_IP_NF_NAT=3Dm CONFIG_IP_NF_NAT_NEEDED=3Dy CONFIG_IP_NF_TARGET_MASQUERADE=3Dm CONFIG_IP_NF_TARGET_REDIRECT=3Dm # CONFIG_IP_NF_NAT_LOCAL is not set CONFIG_IP_NF_NAT_SNMP_BASIC=3Dm CONFIG_IP_NF_NAT_IRC=3Dm CONFIG_IP_NF_NAT_FTP=3Dm CONFIG_IP_NF_MANGLE=3Dm CONFIG_IP_NF_TARGET_TOS=3Dm # CONFIG_IP_NF_TARGET_ECN is not set # CONFIG_IP_NF_TARGET_DSCP is not set CONFIG_IP_NF_TARGET_MARK=3Dm CONFIG_IP_NF_TARGET_LOG=3Dm # CONFIG_IP_NF_TARGET_ULOG is not set CONFIG_IP_NF_TARGET_TCPMSS=3Dm # CONFIG_IP_NF_ARPTABLES is not set # CONFIG_IPV6 is not set # CONFIG_KHTTPD is not set # CONFIG_ATM is not set # CONFIG_VLAN_8021Q is not set # # =20 # # CONFIG_IPX is not set # CONFIG_ATALK is not set # # Appletalk devices # # CONFIG_DEV_APPLETALK is not set # CONFIG_DECNET is not set # CONFIG_BRIDGE is not set # CONFIG_X25 is not set # CONFIG_LAPB is not set # CONFIG_LLC is not set # CONFIG_NET_DIVERT is not set # CONFIG_ECONET is not set # CONFIG_WAN_ROUTER is not set # CONFIG_NET_FASTROUTE is not set # CONFIG_NET_HW_FLOWCONTROL is not set # # QoS and/or fair queueing # CONFIG_NET_SCHED=3Dy CONFIG_NET_SCH_CBQ=3Dm CONFIG_NET_SCH_HTB=3Dm CONFIG_NET_SCH_CSZ=3Dm CONFIG_NET_SCH_PRIO=3Dm CONFIG_NET_SCH_RED=3Dm CONFIG_NET_SCH_SFQ=3Dm CONFIG_NET_SCH_TEQL=3Dm CONFIG_NET_SCH_TBF=3Dm CONFIG_NET_SCH_GRED=3Dm CONFIG_NET_SCH_DSMARK=3Dm CONFIG_NET_SCH_INGRESS=3Dm CONFIG_NET_QOS=3Dy CONFIG_NET_ESTIMATOR=3Dy CONFIG_NET_CLS=3Dy CONFIG_NET_CLS_TCINDEX=3Dm CONFIG_NET_CLS_ROUTE4=3Dm CONFIG_NET_CLS_ROUTE=3Dy CONFIG_NET_CLS_FW=3Dm CONFIG_NET_CLS_U32=3Dm CONFIG_NET_CLS_RSVP=3Dm CONFIG_NET_CLS_RSVP6=3Dm CONFIG_NET_CLS_POLICE=3Dy # # Network testing # CONFIG_NET_PKTGEN=3Dm --=20 Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller L=FCtticher Strasse 10 Tel 0241/701333-11 ch@westend.com D-52064 Aachen Fax 0241/911879