Conntrack full, but not really

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pierre Ossman <drzeus@drzeus.cx>
To: netfilter@lists.netfilter.org
Subject: Conntrack full, but not really
Date: Wed, 24 Mar 2004 22:13:37 +0100	[thread overview]
Message-ID: <4061FA01.4050604@drzeus.cx> (raw)

Hi!

I'm having the standard problem of the connection tracker running out of 
space, but this time with a twist. If I check how many connections it is 
currently tracking it is nowhere near the upper limit. I've searched 
through the archives and haven't found anything like this.

The machine is a P-2 333 MHz with 96 MB of RAM doing nothing but 
routing. It's running Red Hat 9 with kernel 2.4.20-28.9 (although the 
problem exists with other Red Hat kernels). The problem appears after 
about a month of uptime. After that the machine needs to be rebooted to 
recover (flushing out the connection tracker might work aswell but that 
doesn't really make the problem less severe).

What happens is that it starts complaining that the connection tracking 
table is full:
"ip_conntrack: table full, dropping packet."
But when I check /proc/net/ip_conntrack there are only about 120 tracked 
connections (out of about 6000). Something really weird is going on.
To make things worse it's not really out of memory. Large portions of 
the memory is occupied by the cache so it could kick stuff out if it 
wants to. If I kill of some processes to get some free memory *and* 
write a new number to ip_max_track (any number whatsoever will suffice) 
the system works again. At least for a while.

I have no idea how to diagnose this thing. I thought the connection 
tracker allocated the memory it needed when it was loaded, not dynamically.

The machine was recently rebooted so there's probably not much I can 
check that can help right now. But please give me some tips on what I 
should check the next time it starts acting up.

Rgds
Pierre Ossman

PS. Please cc me, I'm not a subsriber.

next             reply	other threads:[~2004-03-24 21:13 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-03-24 21:13 Pierre Ossman [this message]
2004-03-24 22:57 ` Conntrack full, but not really Stephen Smoogen
2004-03-25  5:17   ` Ray Leach
2004-03-25 10:30     ` Krystian

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4061FA01.4050604@drzeus.cx \
    --to=drzeus@drzeus.cx \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.