From: Patrick McHardy <kaber@trash.net>
To: Afi Gjermund <afigjermund@gmail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: nf_conntrack_count versus '/proc/net/nf_conntrack | wc -l' count
Date: Mon, 15 Feb 2010 18:29:43 +0100 [thread overview]
Message-ID: <4B798487.6040304@trash.net> (raw)
In-Reply-To: <48ceaa831002150927q166b5955gfa0e1e465903d29d@mail.gmail.com>
Afi Gjermund wrote:
> Hi all,
>
> I am running into an odd issue where the kernel begins to drop packets
> because the connection tracking table is full. (I am running
> 2.6.26.5).
>
> A 'cat /proc/sys/net/netfilter/nf_conntrack_count' says 4096. But if
> I do a 'cat /proc/net/nf_conntrack | wc -l' then it says 4.
>
> A tail on /var/log/messages has:
>
> Feb 15 16:45:33 titan user.warn kernel: __ratelimit: 20 messages suppressed
> Feb 15 16:45:33 titan user.warn kernel: nf_conntrack: table full,
> dropping packet.
>
> I have an interface that allows me to do a 'nf_conntrack_flush' in
> kernel, but that seems to only clear the table of
> /proc/net/nf_conntrack and not the count the kernel has.
>
> I need a way to ensure that at say 95% there is a way to clear the
> "actual" table as well as the count...whichever that may be. There
> seems to be a disconnect between the implementation versus my
> understanding of how the system is working. Any help is appreciated.
Conntracks might exist and not be in the global table anymore,
f.i. when referenced by a packet. The difference in your case
seems pretty extreme, so I'd guess that packets are leaked
somewhere.
next prev parent reply other threads:[~2010-02-15 17:29 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-15 17:27 nf_conntrack_count versus '/proc/net/nf_conntrack | wc -l' count Afi Gjermund
2010-02-15 17:29 ` Patrick McHardy [this message]
2010-02-15 17:46 ` Jan Engelhardt
2010-02-15 18:04 ` Afi Gjermund
2010-02-15 19:00 ` Jan Engelhardt
2010-02-15 19:30 ` Afi Gjermund
2010-02-15 19:45 ` Afi Gjermund
2010-02-15 20:04 ` Eric Dumazet
2010-02-15 20:33 ` Jan Engelhardt
2010-02-15 21:08 ` Afi Gjermund
2010-02-15 21:52 ` Eric Dumazet
2010-02-15 22:00 ` Afi Gjermund
2010-02-15 22:02 ` Eric Dumazet
2010-02-15 22:10 ` Afi Gjermund
2010-02-18 17:40 ` Afi Gjermund
2010-02-18 17:51 ` Eric Dumazet
2010-02-18 17:55 ` Afi Gjermund
2010-02-18 18:07 ` Eric Dumazet
2010-02-18 18:13 ` Afi Gjermund
2010-02-18 18:19 ` Patrick McHardy
2010-02-18 19:39 ` Afi Gjermund
2010-02-19 0:53 ` Afi Gjermund
2010-02-19 14:12 ` Eric Dumazet
2010-02-19 14:29 ` Patrick McHardy
2010-02-18 18:12 ` Douglas Diniz
2010-02-18 18:22 ` Patrick McHardy
2010-02-18 18:35 ` Douglas Diniz
2010-02-15 21:17 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B798487.6040304@trash.net \
--to=kaber@trash.net \
--cc=afigjermund@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.