From: "Russell King (Oracle)" <linux@armlinux.org.uk>
To: netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
coreteam@netfilter.org
Subject: 6.1: possible bug with netfilter conntrack?
Date: Thu, 12 Jan 2023 23:03:56 +0000 [thread overview]
Message-ID: <Y8CR3CvOIAa6QIZ4@shell.armlinux.org.uk> (raw)
Hi,
I've noticed that my network at home is rather struggling, and having
done some investigation, I find that the router VM is dropping packets
due to lots of:
nf_conntrack: nf_conntrack: table full, dropping packet
I find that there are about 2380 established and assured connections
with a destination of my incoming mail server with destination port 25,
and 2 packets. In the reverse direction, apparently only one packet was
sent according to conntrack. E.g.:
tcp 6 340593 ESTABLISHED src=180.173.2.183 dst=78.32.30.218
sport=49694 dport=25 packets=2 bytes=92 src=78.32.30.218
dst=180.173.2.183 sport=25 dport=49694 packets=1 bytes=44 [ASSURED]
use=1
However, if I look at the incoming mail server, its kernel believes
there are no incoming port 25 connetions, which matches exim.
I hadn't noticed any issues prior to upgrading from 5.16 to 6.1 on the
router VM, and the firewall rules have been the same for much of
2021/2022.
Is this is known issue? Something changed between 5.16 and 6.1 in the
way conntrack works?
I'm going to be manually clearing the conntrack table so stuff works
again without lots of packet loss on my home network...
Thanks.
--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 40Mbps down 10Mbps up. Decent connectivity at last!
next reply other threads:[~2023-01-12 23:04 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-12 23:03 Russell King (Oracle) [this message]
2023-01-12 23:38 ` 6.1: possible bug with netfilter conntrack? Florian Westphal
2023-01-13 0:16 ` Russell King (Oracle)
2023-01-12 23:40 ` Russell King (Oracle)
2023-01-12 23:45 ` Florian Westphal
2023-01-13 11:12 ` Russell King (Oracle)
2023-01-13 12:56 ` Florian Westphal
2023-01-13 13:36 ` Russell King (Oracle)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y8CR3CvOIAa6QIZ4@shell.armlinux.org.uk \
--to=linux@armlinux.org.uk \
--cc=coreteam@netfilter.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).