ip_conntrack: table full, dropping packet.

ip_conntrack: table full, dropping packet.

[Vicky Shrestha]

I have built a firewall on 2.4.8-17 kernel which has 2 Mb of traffic going in 
an out of it. 

I recently added a line :
iptables -A FORWARD -m state --state ESTABLISED,RELATED -J ACCEPT

Now I can see the lines "ip_conntrack : table full, dropping packet" in my 
kern.log.

Does dropping packets means that it is actually dropping the packets or just 
truncating the file /proc/net/ip_conntrack , does this affect my client's  
connections???

-- 
Best regards,


Vicky Shrestha
System Administrator
WorldLink Communications Pvt.Ltd
Jawalakhel, Kathmandu, Nepal.

Re: ip_conntrack: table full, dropping packet.

[Antony Stone]

On Wednesday 30 October 2002 1:43 pm, Vicky Shrestha wrote:

> I have built a firewall on 2.4.8-17 kernel which has 2 Mb of traffic going
> in an out of it.
>
> I recently added a line :
> iptables -A FORWARD -m state --state ESTABLISED,RELATED -J ACCEPT
>
> Now I can see the lines "ip_conntrack : table full, dropping packet" in my
> kern.log.
>
> Does dropping packets means that it is actually dropping the packets or
> just truncating the file /proc/net/ip_conntrack , does this affect my
> client's connections???

It means it really is dropping packets.   You should find out why the 
conntrack table is too small and do something about it.

The two possible reasons are:

1. You have a reasonable sized conntrack table but something is creating 
large numbers of entries (maybe SYN floods or something similar).

2. You have a reasonable number of connections being created through the 
machine, but insufficient memory has been allocated to the conntrack table.

Questions:

1. How much memory do you have in your firewall machine ?

2. What are the results of:
wc -l /proc/net/ip_conntrack
cat /proc/sys/net/ipv4/ip_conntrack_max

Antony.

-- 

Your email has been returned due to insufficient voltage.

Re: ip_conntrack: table full, dropping packet.

[Maciej Soltysiak]

> Now I can see the lines "ip_conntrack : table full, dropping packet" in my
> kern.log.
Yes, but have you read the FAQ ? :) Guess not.
You need to increase the /proc/net/ip_conntrack_max value, according to
the FAQ, it gives some reasonable values depending on the RAM you have.

> Does dropping packets means that it is actually dropping the packets or just
> truncating the file /proc/net/ip_conntrack , does this affect my client's
> connections???
Well, it means that the state mechanism has no space to insert a
conntrack entry, meaning, that the --state ESTABLISHED,RELATED works only
to a limited number of currently tracked connections.

Depending on your setup, it may do different things, but most probably it
does whatever your POLICY instructs them to do. DROP ? Most certainly.

In other words, it means that the --state rule will not match on the
packet. It will not get accepted by this rule.

Regards,
Maciej Soltysiak

Re: ip_conntrack: table full, dropping packet.

[Vicky Shrestha]

Yes I have read the FAQ .

I have 512 Mb of Ram and Hence the Maximum value of 
/proc/sys/net/ipv4/ip_conntrack_max must be 32768, which is what I have set 
already.

But Even this value is not enough for the connection passing through the 
firewall. It gets maxed out with minutes

If I increase the value what negative effect does it have??? Can I increase it 
to say 3276800 ???? Hope It doesnot crash my machine.


On Wednesday 30 October 2002 22:44, Maciej Soltysiak wrote:
> > Now I can see the lines "ip_conntrack : table full, dropping packet" in
> > my kern.log.
>
> Yes, but have you read the FAQ ? :) Guess not.
> You need to increase the /proc/net/ip_conntrack_max value, according to
> the FAQ, it gives some reasonable values depending on the RAM you have.
>
> > Does dropping packets means that it is actually dropping the packets or
> > just truncating the file /proc/net/ip_conntrack , does this affect my
> > client's connections???
>
> Well, it means that the state mechanism has no space to insert a
> conntrack entry, meaning, that the --state ESTABLISHED,RELATED works only
> to a limited number of currently tracked connections.
>
> Depending on your setup, it may do different things, but most probably it
> does whatever your POLICY instructs them to do. DROP ? Most certainly.
>
> In other words, it means that the --state rule will not match on the
> packet. It will not get accepted by this rule.
>
> Regards,
> Maciej Soltysiak

-- 
Best regards,


Vicky Shrestha
System Administrator
WorldLink Communications Pvt.Ltd
Jawalakhel, Kathmandu, Nepal.

Re: ip_conntrack: table full, dropping packet.

[Jet]

No I guess the maximum value is 64K.

Yes. It did crash my machine.
Just FYI, I tried this before on my 64M RAM linux box.
The default is 4K connection max.
But I tried to increase it to 64K.
End up when the number of connections grow to 13K (based on
/proc/net/ip_conntrack),
it first starts killing my other processes including klogd, syslog-ng,
snort.
At this time, you can see the kernel start killing the process from your
syslog (before syslog died)
After a while my linux box hang. And wait for reboot
I guess this is related to OOM (out-of-memory) bug in the kernel (I'm using
2.4.18-xfs).

.//Jet

>
> If I increase the value what negative effect does it have??? Can I
increase it
> to say 3276800 ???? Hope It doesnot crash my machine.
>
>

ip_conntrack: table full, dropping packet.

[hare ram]

Hi

iam getting this error
what is the problem

when i do dmesg in redhat

ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
NET: 1 messages suppressed.
ip_conntrack: table full, dropping packet.
NET: 3 messages suppressed.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
NET: 10 messages suppressed.
ip_conntrack: table full, dropping packet.
NET: 7 messages suppressed.
ip_conntrack: table full, dropping packet.
NET: 5 messages suppressed.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
NET: 2 messages suppressed.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
NET: 2 messages suppressed.
ip_conntrack: table full, dropping packet.
NET: 5 messages suppressed.
ip_conntrack: table full, dropping packet.
NET: 3 messages suppressed.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
ip_conntrack: table full, dropping packet.
61.218.53.226 sent an invalid ICMP error to a broadcast.
61.218.53.226 sent an invalid ICMP error to a broadcast.
61.218.53.226 sent an invalid ICMP error to a broadcast.
61.218.53.226 sent an invalid ICMP error to a broadcast.
61.218.53.226 sent an invalid ICMP error to a broadcast.
61.218.53.226 sent an invalid ICMP error to a broadcast.
61.218.53.226 sent an invalid ICMP error to a broadcast.
61.218.53.226 sent an invalid ICMP error to a broadcast.
61.218.53.226 sent an invalid ICMP error to a broadcast.
61.218.53.226 sent an invalid ICMP error to a broadcast.

Re: ip_conntrack: table full, dropping packet.

[Maciej Soltysiak]

> iam getting this error
> what is the problem
The conntrack table is full and your machine can not store
more connection tracking information, as each tracked connection
takes up some memory.

Increase your
/proc/sys/net/ipv4/ip_conntrack_max

as described in the FAQ. The FAQ shows how to calculate the value
for your system.

Regards,
Maciej Soltysiak

ip_conntrack: table full, dropping packet.

[www.piratehosting.net]

ip_conntrack: table full, dropping packet.

i have been using
echo "4008192" > /proc/sys/fs/file-max
echo 4008192 > /proc/sys/net/ipv4/ip_conntrack_max
to increase the limits to avoid this dropping of packets.
can i just clear the list from
/proc/net/ip_conntrack
or something

some info
ip_conntrack_ftp       70576  0
ip_conntrack_irc       70064  0
ip_conntrack           24968  4
iptable_nat,ip_conntrack_ftp,ip_conntrack_irc,ipt_state

Re: ip_conntrack: table full, dropping packet.

[Jason Opperisano]

On Fri, 2004-09-24 at 00:01, www.piratehosting.net wrote:
> ip_conntrack: table full, dropping packet.
> 
> i have been using
> echo "4008192" > /proc/sys/fs/file-max
> echo 4008192 > /proc/sys/net/ipv4/ip_conntrack_max
> to increase the limits to avoid this dropping of packets.
> can i just clear the list from
> /proc/net/ip_conntrack
> or something
> 
> some info
> ip_conntrack_ftp       70576  0
> ip_conntrack_irc       70064  0
> ip_conntrack           24968  4
> iptable_nat,ip_conntrack_ftp,ip_conntrack_irc,ipt_state

how much physical RAM is in this machine and how many simultaneous
connections are you trying to support?

-j

-- 
Jason Opperisano <opie@817west.com>

ip_conntrack: table full, dropping packet

[www.piratehosting.net]

512mb ram
about 150,000 connections
its a ircd server with 15 clients at 1024 users each.
i have to keep moving it up as the conntrack doesnt empty

Re: ip_conntrack: table full, dropping packet

[Stephen J Smoogen]

www.piratehosting.net wrote:
> 512mb ram
> about 150,000 connections
> its a ircd server with 15 clients at 1024 users each.
> i have to keep moving it up as the conntrack doesnt empty
> 


Depending on the linux kernel you are using.. this is a 'known' bug. Red 
Hat Linux for the 7,8,9 series has a patch from netfilter experimental 
that does not let go connections. There is also another kernel version 
that seems to have this issue (2.4.18?) but I cant remember which one it 
was. Putting on the latest 2.4.x kernel with a clean netfilter patch 
fixed the problem on our boxes.

-- 
Stephen John Smoogen	        | CCN-5 Security Team
LANL SIRT Team Leader           | SMTP:  smoogen@lanl.gov
Los Alamos National Laboratory  | Voice: 505.664.0645
Ta-03 SM-1498 MS: B255 DP 10S   | FAX:   505.665.7793
Los Alamos, NM 87545            |

ip_conntrack: table full, dropping packet

[www.piratehosting.net]

can i get a url for the patch.
i have the latest kernal

Re: ip_conntrack: table full, dropping packet

[Jose Maria Lopez]

El vie, 24 de 09 de 2004 a las 17:55, www.piratehosting.net escribió:
> can i get a url for the patch.
> i have the latest kernal

Have you tried to change the /proc/sys/net/ipv4/ip_conntrack_max?
It should solve your problem if the table is full.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: ip_conntrack: table full, dropping packet.

[Jose Maria Lopez]

El vie, 24 de 09 de 2004 a las 06:01, www.piratehosting.net escribió:
> ip_conntrack: table full, dropping packet.
> 
> i have been using
> echo "4008192" > /proc/sys/fs/file-max
> echo 4008192 > /proc/sys/net/ipv4/ip_conntrack_max
> to increase the limits to avoid this dropping of packets.
> can i just clear the list from
> /proc/net/ip_conntrack
> or something
> 
> some info
> ip_conntrack_ftp       70576  0
> ip_conntrack_irc       70064  0
> ip_conntrack           24968  4
> iptable_nat,ip_conntrack_ftp,ip_conntrack_irc,ipt_state

Yes, you can clear the list using hping2 and sending RST to
both parts of the connection, but it will close the connections
if you do it that way.

The command would be something like this:

hping2 $DSTIP -R -s $SRCPORT -p $DSTPORT -a $SRCIP -k -c 1 -n
hping2 $SRCIP -R -s $DSTPORT -p $SRCPORT -a $DSTIP -k -c 1 -n

I have a script that does just that in my bastion-firewall
program. I can mail it to you if you want it.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"