From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mart Frauenlob <mart.frauenlob@chello.at>
Subject: Re: iptables sporadic "sendmsg: operation not permitted" problem
 and packet loss
Date: Mon, 09 Mar 2009 21:12:14 +0100
Message-ID: <49B5781E.3030306@chello.at>
References: <49B2E831.3040809@conversis.de>
Reply-To: netfilter-owner@vger.kernel.org
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Return-path: <netfilter-owner@vger.kernel.org>
In-Reply-To: <49B2E831.3040809@conversis.de>
Sender: netfilter-owner@vger.kernel.org
List-ID: <netfilter.vger.kernel.org>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
To: netfilter@vger.kernel.org

netfilter-owner@vger.kernel.org wrote:
> Hi,
>
> I'm running into a problem on a machine that right now acts as a 
> simple gateway but is supposed to become a firewall too. When I start 
> iptables using "/etc/init.d/iptables start" on the Centos 5.2 machine 
> first everything works fine but after about 30 seconds I'm seeing 
> packet loss and running a ping outputs "sendmsg: operation not 
> permitted" sporadically.
> The moment I stop iptables again everything returns to normal. What is 
> consufing to me is that I don't even have any rules defined so far. 
> This is what my "/etc/sysconfig/iptables" file looks like:
>
> # Generated by iptables-save v1.3.5 on Thu Mar  5 17:40:28 2009
> *filter
> :INPUT ACCEPT [26715202:4750206096]
> :FORWARD ACCEPT [1382646771:1563210213960]
> :OUTPUT ACCEPT [22930985:6256734041]
> COMMIT
>
> iptables -L says:
>
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Does anyone have an idea why that would have such a severe impact on 
> the traffic? The fact that it takes a moment for the problems to show 
> up makes me suspect some kind of buffer issue so that the packet loss 
> only begins to occur after some buffer begins to overflow. That just a 
> guess though and I have no idea what buffer that could be.
>
> Regards,
>   Dennis
>
Hello,

sounds like something that happend to me, when I accidentally  did set 
ip_conntrack_max to `1'.
If you don't know where it's located do some like: find /proc/sys/net 
-name ip_conntrack_max

Maybe it's that issue, maybe not - just a guess.

Greets

Mart