* linux 2.6.10: ip_conntrack table overflowing
@ 2005-01-04 12:40 Max Kellermann
2005-01-04 13:31 ` KOVACS Krisztian
0 siblings, 1 reply; 3+ messages in thread
From: Max Kellermann @ 2005-01-04 12:40 UTC (permalink / raw)
To: netfilter-devel
Hi,
yesterday, we upgraded four servers from 2.6.9 to 2.6.10. 12 hours
later (last night), all of them stopped responding; the conntrack
tables were full:
Jan 3 21:03:31 cfapro01 kernel: ip_conntrack: table full, dropping
packet.
We rebooted, and now there are more than 30000 connections in
/proc/net/ip_conntrack, but netstat only shows 400; example:
tcp 6 421183 ESTABLISHED src=XXremoteXX dst=YYlocalYY
sport=29800 dport=80 src=YYlocalYY dst=XXremoteXX sport=80
dport=29800 [ASSURED] mark=0 use=1
Seems like conntrack hasn't notice the connection has gone away
already, and will keep these for 5 days (default timeout). We have now
worked around this bug by reducing the timeout to 1 hour, I hope this
keeps the table from filling up until the "real" bug is found and
fixed.
Some information about the hardware:
- compaq, dual xeon p4, serverworks mainboard, 4 GB RAM
- cciss controller
- bcm57xx, intel e100 network adapters
We have KDB enabled on the four machines; they are still up and
running, with these stale connections. If someone needs more
information, let me know.
Regards,
Max Kellermann
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: linux 2.6.10: ip_conntrack table overflowing
2005-01-04 12:40 linux 2.6.10: ip_conntrack table overflowing Max Kellermann
@ 2005-01-04 13:31 ` KOVACS Krisztian
2005-01-04 14:50 ` Max Kellermann
0 siblings, 1 reply; 3+ messages in thread
From: KOVACS Krisztian @ 2005-01-04 13:31 UTC (permalink / raw)
To: Max Kellermann; +Cc: netfilter-devel
Hi,
2005-01-04, k keltezéssel 13.40-kor Max Kellermann ezt írta:
> yesterday, we upgraded four servers from 2.6.9 to 2.6.10. 12 hours
> later (last night), all of them stopped responding; the conntrack
> tables were full:
>
> Jan 3 21:03:31 cfapro01 kernel: ip_conntrack: table full, dropping
> packet.
>
> We rebooted, and now there are more than 30000 connections in
> /proc/net/ip_conntrack, but netstat only shows 400; example:
>
> tcp 6 421183 ESTABLISHED src=XXremoteXX dst=YYlocalYY
> sport=29800 dport=80 src=YYlocalYY dst=XXremoteXX sport=80
> dport=29800 [ASSURED] mark=0 use=1
Seems to be the problem already reported and fixed by Martin. Take a
look at
https://lists.netfilter.org/pipermail/netfilter-devel/2004-December/017908.html
for the detailed description and the patch fixing the bug.
--
Regards,
Krisztian Kovacs
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: linux 2.6.10: ip_conntrack table overflowing
2005-01-04 13:31 ` KOVACS Krisztian
@ 2005-01-04 14:50 ` Max Kellermann
0 siblings, 0 replies; 3+ messages in thread
From: Max Kellermann @ 2005-01-04 14:50 UTC (permalink / raw)
To: KOVACS Krisztian; +Cc: netfilter-devel
On 2005/01/04 14:31, KOVACS Krisztian <hidden@balabit.hu> wrote:
> > later (last night), all of them stopped responding; the conntrack
> > tables were full:
>
> Seems to be the problem already reported and fixed by Martin. Take a
> look at
>
> https://lists.netfilter.org/pipermail/netfilter-devel/2004-December/017908.html
True. That patch solved my problem. Thanks for your help (and Patrick
Schaaf who also sent me this URL). I saw it's already included in
2.6.10-mm1.
Max
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-01-04 14:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-01-04 12:40 linux 2.6.10: ip_conntrack table overflowing Max Kellermann
2005-01-04 13:31 ` KOVACS Krisztian
2005-01-04 14:50 ` Max Kellermann
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.