* [bug report, linux 6.15-rc4] A large number of connections in the SYN_SENT state caused the nf_conntrack table to be full. @ 2025-05-28 12:52 ying chen 2025-05-28 12:59 ` Eric Dumazet 2025-05-28 13:09 ` Florian Westphal 0 siblings, 2 replies; 12+ messages in thread From: ying chen @ 2025-05-28 12:52 UTC (permalink / raw) To: pablo, kadlec, fw, davem, edumazet, kuba, pabeni, netfilter-devel, coreteam, netdev, linux-kernel Hello all, I encountered an "nf_conntrack: table full" warning on Linux 6.15-rc4. Running cat /proc/net/nf_conntrack showed a large number of connections in the SYN_SENT state. As is well known, if we attempt to connect to a non-existent port, the system will respond with an RST and then delete the conntrack entry. However, when we frequently connect to non-existent ports, the conntrack entries are not deleted, eventually causing the nf_conntrack table to fill up. The problem can be reproduced using the following command: hping3 -S -V -p 9007 --flood xx.x.xxx.xxx ~$ cat /proc/net/nf_conntrack ipv4 2 tcp 6 112 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx sport=2642 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 dport=2642 mark=0 zone=0 use=2 ipv4 2 tcp 6 111 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx sport=11510 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 dport=11510 mark=0 zone=0 use=2 ipv4 2 tcp 6 111 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx sport=28611 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 dport=28611 mark=0 zone=0 use=2 ipv4 2 tcp 6 112 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx sport=62849 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 dport=62849 mark=0 zone=0 use=2 ipv4 2 tcp 6 111 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx sport=3410 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 dport=3410 mark=0 zone=0 use=2 ipv4 2 tcp 6 111 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx sport=44185 dport=9007 [UNREPLIED] src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 dport=44185 mark=0 zone=0 use=2 ipv4 2 tcp 6 111 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx sport=51099 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 dport=51099 mark=0 zone=0 use=2 ipv4 2 tcp 6 112 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx sport=23609 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 dport=23609 mark=0 zone=0 use=2 ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bug report, linux 6.15-rc4] A large number of connections in the SYN_SENT state caused the nf_conntrack table to be full. 2025-05-28 12:52 [bug report, linux 6.15-rc4] A large number of connections in the SYN_SENT state caused the nf_conntrack table to be full ying chen @ 2025-05-28 12:59 ` Eric Dumazet 2025-05-28 13:27 ` ying chen 2025-05-28 13:09 ` Florian Westphal 1 sibling, 1 reply; 12+ messages in thread From: Eric Dumazet @ 2025-05-28 12:59 UTC (permalink / raw) To: ying chen Cc: pablo, kadlec, fw, davem, kuba, pabeni, netfilter-devel, coreteam, netdev, linux-kernel On Wed, May 28, 2025 at 5:52 AM ying chen <yc1082463@gmail.com> wrote: > > Hello all, > > I encountered an "nf_conntrack: table full" warning on Linux 6.15-rc4. > Running cat /proc/net/nf_conntrack showed a large number of > connections in the SYN_SENT state. > As is well known, if we attempt to connect to a non-existent port, the > system will respond with an RST and then delete the conntrack entry. > However, when we frequently connect to non-existent ports, the > conntrack entries are not deleted, eventually causing the nf_conntrack > table to fill up. > > The problem can be reproduced using the following command: > hping3 -S -V -p 9007 --flood xx.x.xxx.xxx > > ~$ cat /proc/net/nf_conntrack > ipv4 2 tcp 6 112 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx > sport=2642 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 > dport=2642 mark=0 zone=0 use=2 > ipv4 2 tcp 6 111 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx > sport=11510 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 > dport=11510 mark=0 zone=0 use=2 > ipv4 2 tcp 6 111 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx > sport=28611 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 > dport=28611 mark=0 zone=0 use=2 > ipv4 2 tcp 6 112 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx > sport=62849 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 > dport=62849 mark=0 zone=0 use=2 > ipv4 2 tcp 6 111 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx > sport=3410 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 > dport=3410 mark=0 zone=0 use=2 > ipv4 2 tcp 6 111 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx > sport=44185 dport=9007 [UNREPLIED] src=xx.xx.xx.xx dst=xx.x.xxx.xxx > sport=9007 dport=44185 mark=0 zone=0 use=2 > ipv4 2 tcp 6 111 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx > sport=51099 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 > dport=51099 mark=0 zone=0 use=2 > ipv4 2 tcp 6 112 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx > sport=23609 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 > dport=23609 mark=0 zone=0 use=2 The default timeout is 120 seconds. /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_syn_sent ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bug report, linux 6.15-rc4] A large number of connections in the SYN_SENT state caused the nf_conntrack table to be full. 2025-05-28 12:59 ` Eric Dumazet @ 2025-05-28 13:27 ` ying chen 0 siblings, 0 replies; 12+ messages in thread From: ying chen @ 2025-05-28 13:27 UTC (permalink / raw) To: Eric Dumazet Cc: pablo, kadlec, fw, davem, kuba, pabeni, netfilter-devel, coreteam, netdev, linux-kernel On Wed, May 28, 2025 at 8:59 PM Eric Dumazet <edumazet@google.com> wrote: > > On Wed, May 28, 2025 at 5:52 AM ying chen <yc1082463@gmail.com> wrote: > > > > Hello all, > > > > I encountered an "nf_conntrack: table full" warning on Linux 6.15-rc4. > > Running cat /proc/net/nf_conntrack showed a large number of > > connections in the SYN_SENT state. > > As is well known, if we attempt to connect to a non-existent port, the > > system will respond with an RST and then delete the conntrack entry. > > However, when we frequently connect to non-existent ports, the > > conntrack entries are not deleted, eventually causing the nf_conntrack > > table to fill up. > > > > The problem can be reproduced using the following command: > > hping3 -S -V -p 9007 --flood xx.x.xxx.xxx > > > > ~$ cat /proc/net/nf_conntrack > > ipv4 2 tcp 6 112 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx > > sport=2642 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 > > dport=2642 mark=0 zone=0 use=2 > > ipv4 2 tcp 6 111 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx > > sport=11510 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 > > dport=11510 mark=0 zone=0 use=2 > > ipv4 2 tcp 6 111 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx > > sport=28611 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 > > dport=28611 mark=0 zone=0 use=2 > > ipv4 2 tcp 6 112 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx > > sport=62849 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 > > dport=62849 mark=0 zone=0 use=2 > > ipv4 2 tcp 6 111 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx > > sport=3410 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 > > dport=3410 mark=0 zone=0 use=2 > > ipv4 2 tcp 6 111 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx > > sport=44185 dport=9007 [UNREPLIED] src=xx.xx.xx.xx dst=xx.x.xxx.xxx > > sport=9007 dport=44185 mark=0 zone=0 use=2 > > ipv4 2 tcp 6 111 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx > > sport=51099 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 > > dport=51099 mark=0 zone=0 use=2 > > ipv4 2 tcp 6 112 SYN_SENT src=xx.x.xxx.xxx dst=xx.xx.xx.xx > > sport=23609 dport=9007 src=xx.xx.xx.xx dst=xx.x.xxx.xxx sport=9007 > > dport=23609 mark=0 zone=0 use=2 > > The default timeout is 120 seconds. > > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_syn_sent Yes,The timeout is 120 seconds. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bug report, linux 6.15-rc4] A large number of connections in the SYN_SENT state caused the nf_conntrack table to be full. 2025-05-28 12:52 [bug report, linux 6.15-rc4] A large number of connections in the SYN_SENT state caused the nf_conntrack table to be full ying chen 2025-05-28 12:59 ` Eric Dumazet @ 2025-05-28 13:09 ` Florian Westphal 2025-05-28 13:26 ` ying chen 1 sibling, 1 reply; 12+ messages in thread From: Florian Westphal @ 2025-05-28 13:09 UTC (permalink / raw) To: ying chen Cc: pablo, kadlec, davem, edumazet, kuba, pabeni, netfilter-devel, coreteam, netdev, linux-kernel ying chen <yc1082463@gmail.com> wrote: > Hello all, > > I encountered an "nf_conntrack: table full" warning on Linux 6.15-rc4. > Running cat /proc/net/nf_conntrack showed a large number of > connections in the SYN_SENT state. > As is well known, if we attempt to connect to a non-existent port, the > system will respond with an RST and then delete the conntrack entry. > However, when we frequently connect to non-existent ports, the > conntrack entries are not deleted, eventually causing the nf_conntrack > table to fill up. Yes, what do you expect to happen? ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bug report, linux 6.15-rc4] A large number of connections in the SYN_SENT state caused the nf_conntrack table to be full. 2025-05-28 13:09 ` Florian Westphal @ 2025-05-28 13:26 ` ying chen 2025-05-28 13:41 ` Eric Dumazet 2025-05-28 13:41 ` Jozsef Kadlecsik 0 siblings, 2 replies; 12+ messages in thread From: ying chen @ 2025-05-28 13:26 UTC (permalink / raw) To: Florian Westphal Cc: pablo, kadlec, davem, edumazet, kuba, pabeni, netfilter-devel, coreteam, netdev, linux-kernel On Wed, May 28, 2025 at 9:10 PM Florian Westphal <fw@strlen.de> wrote: > > ying chen <yc1082463@gmail.com> wrote: > > Hello all, > > > > I encountered an "nf_conntrack: table full" warning on Linux 6.15-rc4. > > Running cat /proc/net/nf_conntrack showed a large number of > > connections in the SYN_SENT state. > > As is well known, if we attempt to connect to a non-existent port, the > > system will respond with an RST and then delete the conntrack entry. > > However, when we frequently connect to non-existent ports, the > > conntrack entries are not deleted, eventually causing the nf_conntrack > > table to fill up. > > Yes, what do you expect to happen? I understand that the conntrack entry should be deleted immediately after receiving the RST reply. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bug report, linux 6.15-rc4] A large number of connections in the SYN_SENT state caused the nf_conntrack table to be full. 2025-05-28 13:26 ` ying chen @ 2025-05-28 13:41 ` Eric Dumazet 2025-05-28 13:45 ` Jozsef Kadlecsik 2025-05-28 13:41 ` Jozsef Kadlecsik 1 sibling, 1 reply; 12+ messages in thread From: Eric Dumazet @ 2025-05-28 13:41 UTC (permalink / raw) To: ying chen Cc: Florian Westphal, pablo, kadlec, davem, kuba, pabeni, netfilter-devel, coreteam, netdev, linux-kernel On Wed, May 28, 2025 at 6:26 AM ying chen <yc1082463@gmail.com> wrote: > > On Wed, May 28, 2025 at 9:10 PM Florian Westphal <fw@strlen.de> wrote: > > > > ying chen <yc1082463@gmail.com> wrote: > > > Hello all, > > > > > > I encountered an "nf_conntrack: table full" warning on Linux 6.15-rc4. > > > Running cat /proc/net/nf_conntrack showed a large number of > > > connections in the SYN_SENT state. > > > As is well known, if we attempt to connect to a non-existent port, the > > > system will respond with an RST and then delete the conntrack entry. > > > However, when we frequently connect to non-existent ports, the > > > conntrack entries are not deleted, eventually causing the nf_conntrack > > > table to fill up. > > > > Yes, what do you expect to happen? > I understand that the conntrack entry should be deleted immediately > after receiving the RST reply. Then it probably hints that you do not receive RST for all your SYN packets. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bug report, linux 6.15-rc4] A large number of connections in the SYN_SENT state caused the nf_conntrack table to be full. 2025-05-28 13:41 ` Eric Dumazet @ 2025-05-28 13:45 ` Jozsef Kadlecsik 2025-05-28 13:59 ` ying chen 0 siblings, 1 reply; 12+ messages in thread From: Jozsef Kadlecsik @ 2025-05-28 13:45 UTC (permalink / raw) To: Eric Dumazet Cc: ying chen, Florian Westphal, pablo, kadlec, davem, kuba, pabeni, netfilter-devel, coreteam, netdev, linux-kernel [-- Attachment #1: Type: text/plain, Size: 1205 bytes --] On Wed, 28 May 2025, Eric Dumazet wrote: > On Wed, May 28, 2025 at 6:26 AM ying chen <yc1082463@gmail.com> wrote: >> >> On Wed, May 28, 2025 at 9:10 PM Florian Westphal <fw@strlen.de> wrote: >>> >>> ying chen <yc1082463@gmail.com> wrote: >>>> Hello all, >>>> >>>> I encountered an "nf_conntrack: table full" warning on Linux 6.15-rc4. >>>> Running cat /proc/net/nf_conntrack showed a large number of >>>> connections in the SYN_SENT state. >>>> As is well known, if we attempt to connect to a non-existent port, the >>>> system will respond with an RST and then delete the conntrack entry. >>>> However, when we frequently connect to non-existent ports, the >>>> conntrack entries are not deleted, eventually causing the nf_conntrack >>>> table to fill up. >>> >>> Yes, what do you expect to happen? >> I understand that the conntrack entry should be deleted immediately >> after receiving the RST reply. > > Then it probably hints that you do not receive RST for all your SYN > packets. And Eric has got right: because the states are in SYN_SENT then either the RST packets were not received or out of the window or invalid from other reasons. Best regards, Jozsef ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bug report, linux 6.15-rc4] A large number of connections in the SYN_SENT state caused the nf_conntrack table to be full. 2025-05-28 13:45 ` Jozsef Kadlecsik @ 2025-05-28 13:59 ` ying chen 2025-05-28 14:18 ` Jozsef Kadlecsik 0 siblings, 1 reply; 12+ messages in thread From: ying chen @ 2025-05-28 13:59 UTC (permalink / raw) To: Jozsef Kadlecsik Cc: Eric Dumazet, Florian Westphal, pablo, kadlec, davem, kuba, pabeni, netfilter-devel, coreteam, netdev, linux-kernel On Wed, May 28, 2025 at 9:45 PM Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> wrote: > > On Wed, 28 May 2025, Eric Dumazet wrote: > > > On Wed, May 28, 2025 at 6:26 AM ying chen <yc1082463@gmail.com> wrote: > >> > >> On Wed, May 28, 2025 at 9:10 PM Florian Westphal <fw@strlen.de> wrote: > >>> > >>> ying chen <yc1082463@gmail.com> wrote: > >>>> Hello all, > >>>> > >>>> I encountered an "nf_conntrack: table full" warning on Linux 6.15-rc4. > >>>> Running cat /proc/net/nf_conntrack showed a large number of > >>>> connections in the SYN_SENT state. > >>>> As is well known, if we attempt to connect to a non-existent port, the > >>>> system will respond with an RST and then delete the conntrack entry. > >>>> However, when we frequently connect to non-existent ports, the > >>>> conntrack entries are not deleted, eventually causing the nf_conntrack > >>>> table to fill up. > >>> > >>> Yes, what do you expect to happen? > >> I understand that the conntrack entry should be deleted immediately > >> after receiving the RST reply. > > > > Then it probably hints that you do not receive RST for all your SYN > > packets. > > And Eric has got right: because the states are in SYN_SENT then either the > RST packets were not received or out of the window or invalid from other > reasons. > > Best regards, > Jozsef I also suspect it's due to being "out of the window", but I'm not sure why. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bug report, linux 6.15-rc4] A large number of connections in the SYN_SENT state caused the nf_conntrack table to be full. 2025-05-28 13:59 ` ying chen @ 2025-05-28 14:18 ` Jozsef Kadlecsik 2025-05-28 14:51 ` ying chen 0 siblings, 1 reply; 12+ messages in thread From: Jozsef Kadlecsik @ 2025-05-28 14:18 UTC (permalink / raw) To: ying chen Cc: Eric Dumazet, Florian Westphal, pablo, kadlec, davem, kuba, pabeni, netfilter-devel, coreteam, netdev, linux-kernel [-- Attachment #1: Type: text/plain, Size: 1630 bytes --] On Wed, 28 May 2025, ying chen wrote: > On Wed, May 28, 2025 at 9:45 PM Jozsef Kadlecsik > <kadlec@blackhole.kfki.hu> wrote: >> >> On Wed, 28 May 2025, Eric Dumazet wrote: >> >>> On Wed, May 28, 2025 at 6:26 AM ying chen <yc1082463@gmail.com> wrote: >>>> >>>> On Wed, May 28, 2025 at 9:10 PM Florian Westphal <fw@strlen.de> wrote: >>>>> >>>>> ying chen <yc1082463@gmail.com> wrote: >>>>>> Hello all, >>>>>> >>>>>> I encountered an "nf_conntrack: table full" warning on Linux 6.15-rc4. >>>>>> Running cat /proc/net/nf_conntrack showed a large number of >>>>>> connections in the SYN_SENT state. >>>>>> As is well known, if we attempt to connect to a non-existent port, the >>>>>> system will respond with an RST and then delete the conntrack entry. >>>>>> However, when we frequently connect to non-existent ports, the >>>>>> conntrack entries are not deleted, eventually causing the nf_conntrack >>>>>> table to fill up. >>>>> >>>>> Yes, what do you expect to happen? >>>> I understand that the conntrack entry should be deleted immediately >>>> after receiving the RST reply. >>> >>> Then it probably hints that you do not receive RST for all your SYN >>> packets. >> >> And Eric has got right: because the states are in SYN_SENT then either the >> RST packets were not received or out of the window or invalid from other >> reasons. > I also suspect it's due to being "out of the window", but I'm not sure why. tcpdump of the traffic from the targeted machine with both the SYN and RST packets could help (raw pcap or at least the output with absolute seqs). Best regards, Jozsef ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bug report, linux 6.15-rc4] A large number of connections in the SYN_SENT state caused the nf_conntrack table to be full. 2025-05-28 14:18 ` Jozsef Kadlecsik @ 2025-05-28 14:51 ` ying chen 0 siblings, 0 replies; 12+ messages in thread From: ying chen @ 2025-05-28 14:51 UTC (permalink / raw) To: Jozsef Kadlecsik Cc: Eric Dumazet, Florian Westphal, pablo, kadlec, davem, kuba, pabeni, netfilter-devel, coreteam, netdev, linux-kernel On Wed, May 28, 2025 at 10:18 PM Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> wrote: > > On Wed, 28 May 2025, ying chen wrote: > > > On Wed, May 28, 2025 at 9:45 PM Jozsef Kadlecsik > > <kadlec@blackhole.kfki.hu> wrote: > >> > >> On Wed, 28 May 2025, Eric Dumazet wrote: > >> > >>> On Wed, May 28, 2025 at 6:26 AM ying chen <yc1082463@gmail.com> wrote: > >>>> > >>>> On Wed, May 28, 2025 at 9:10 PM Florian Westphal <fw@strlen.de> wrote: > >>>>> > >>>>> ying chen <yc1082463@gmail.com> wrote: > >>>>>> Hello all, > >>>>>> > >>>>>> I encountered an "nf_conntrack: table full" warning on Linux 6.15-rc4. > >>>>>> Running cat /proc/net/nf_conntrack showed a large number of > >>>>>> connections in the SYN_SENT state. > >>>>>> As is well known, if we attempt to connect to a non-existent port, the > >>>>>> system will respond with an RST and then delete the conntrack entry. > >>>>>> However, when we frequently connect to non-existent ports, the > >>>>>> conntrack entries are not deleted, eventually causing the nf_conntrack > >>>>>> table to fill up. > >>>>> > >>>>> Yes, what do you expect to happen? > >>>> I understand that the conntrack entry should be deleted immediately > >>>> after receiving the RST reply. > >>> > >>> Then it probably hints that you do not receive RST for all your SYN > >>> packets. > >> > >> And Eric has got right: because the states are in SYN_SENT then either the > >> RST packets were not received or out of the window or invalid from other > >> reasons. > > I also suspect it's due to being "out of the window", but I'm not sure why. > > tcpdump of the traffic from the targeted machine with both the SYN and RST > packets could help (raw pcap or at least the output with absolute seqs). > > Best regards, > Jozsef Using bpftrace, I found that the RST is under the lower bound and printed the values of the following variables: receiver->td_maxwin = 1 sender->td_end = 0 receiver->td_maxwin =1 ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bug report, linux 6.15-rc4] A large number of connections in the SYN_SENT state caused the nf_conntrack table to be full. 2025-05-28 13:26 ` ying chen 2025-05-28 13:41 ` Eric Dumazet @ 2025-05-28 13:41 ` Jozsef Kadlecsik 2025-05-28 13:55 ` ying chen 1 sibling, 1 reply; 12+ messages in thread From: Jozsef Kadlecsik @ 2025-05-28 13:41 UTC (permalink / raw) To: ying chen Cc: Florian Westphal, pablo, kadlec, davem, edumazet, kuba, pabeni, netfilter-devel, coreteam, netdev, linux-kernel [-- Attachment #1: Type: text/plain, Size: 992 bytes --] On Wed, 28 May 2025, ying chen wrote: > On Wed, May 28, 2025 at 9:10 PM Florian Westphal <fw@strlen.de> wrote: >> >> ying chen <yc1082463@gmail.com> wrote: >>> Hello all, >>> >>> I encountered an "nf_conntrack: table full" warning on Linux 6.15-rc4. >>> Running cat /proc/net/nf_conntrack showed a large number of >>> connections in the SYN_SENT state. >>> As is well known, if we attempt to connect to a non-existent port, the >>> system will respond with an RST and then delete the conntrack entry. >>> However, when we frequently connect to non-existent ports, the >>> conntrack entries are not deleted, eventually causing the nf_conntrack >>> table to fill up. >> >> Yes, what do you expect to happen? > I understand that the conntrack entry should be deleted immediately > after receiving the RST reply. No, the conntrack entry will be in the CLOSE state with the timeout value of /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_close Best regards, Jozsef ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bug report, linux 6.15-rc4] A large number of connections in the SYN_SENT state caused the nf_conntrack table to be full. 2025-05-28 13:41 ` Jozsef Kadlecsik @ 2025-05-28 13:55 ` ying chen 0 siblings, 0 replies; 12+ messages in thread From: ying chen @ 2025-05-28 13:55 UTC (permalink / raw) To: Jozsef Kadlecsik Cc: Florian Westphal, pablo, kadlec, davem, edumazet, kuba, pabeni, netfilter-devel, coreteam, netdev, linux-kernel On Wed, May 28, 2025 at 9:41 PM Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> wrote: > > On Wed, 28 May 2025, ying chen wrote: > > > On Wed, May 28, 2025 at 9:10 PM Florian Westphal <fw@strlen.de> wrote: > >> > >> ying chen <yc1082463@gmail.com> wrote: > >>> Hello all, > >>> > >>> I encountered an "nf_conntrack: table full" warning on Linux 6.15-rc4. > >>> Running cat /proc/net/nf_conntrack showed a large number of > >>> connections in the SYN_SENT state. > >>> As is well known, if we attempt to connect to a non-existent port, the > >>> system will respond with an RST and then delete the conntrack entry. > >>> However, when we frequently connect to non-existent ports, the > >>> conntrack entries are not deleted, eventually causing the nf_conntrack > >>> table to fill up. > >> > >> Yes, what do you expect to happen? > > I understand that the conntrack entry should be deleted immediately > > after receiving the RST reply. > > No, the conntrack entry will be in the CLOSE state with the timeout value > of /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_close > > Best regards, > Jozsef The conntrack entry does not transition to the CLOSE state and remains in the SYN_SENT state until the nf_conntrack_tcp_timeout_syn_sent timeout is reached. According to the code, the conntrack entry should be deleted immediately after the RST reply. int nf_conntrack_tcp_packet(struct nf_conn *ct, struct sk_buff *skb, unsigned int dataoff, enum ip_conntrack_info ctinfo, const struct nf_hook_state *state) { ...... if (!test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { /* If only reply is a RST, we can consider ourselves not to have an established connection: this is a fairly common problem case, so we can delete the conntrack immediately. --RR */ if (th->rst) { nf_ct_kill_acct(ct, ctinfo, skb); return NF_ACCEPT; } ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2025-05-28 14:52 UTC | newest] Thread overview: 12+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-05-28 12:52 [bug report, linux 6.15-rc4] A large number of connections in the SYN_SENT state caused the nf_conntrack table to be full ying chen 2025-05-28 12:59 ` Eric Dumazet 2025-05-28 13:27 ` ying chen 2025-05-28 13:09 ` Florian Westphal 2025-05-28 13:26 ` ying chen 2025-05-28 13:41 ` Eric Dumazet 2025-05-28 13:45 ` Jozsef Kadlecsik 2025-05-28 13:59 ` ying chen 2025-05-28 14:18 ` Jozsef Kadlecsik 2025-05-28 14:51 ` ying chen 2025-05-28 13:41 ` Jozsef Kadlecsik 2025-05-28 13:55 ` ying chen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).