lost and found ( for me ? )

kernel error : nf_conntrack: table full, dropping packet.

# tail -1 /etc/lsb-release

# uname -a
2.6.35-25-server #44-Ubuntu SMP Fri Jan 21 19:09:14 UTC 2011 x86_64 GNU/Linux

I saw the following errors on my DNS Server runnning unbound.

kernel: [96324.941657] nf_conntrack: table full, dropping packet.

or you can also see same messages via dmesg
# dmesg | tail -1
[96324.941657] nf_conntrack: table full, dropping packet.

This seems to be caused by a full “iptables connection_table” due to DDoS , a huge amount of traffic.
You may solve this by increasing “ip_conntrack_max” if you have enough Memory available.

the default value is:
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max

This value is 32bit integer.

increase this value w/ sysctl command
# sysctl -w net.netfilter.nf_conntrack_max=131072
net.netfilter.nf_conntrack_max = 131072

or edit sysctl.conf to reflect permanently
# egrep conntrack /etc/sysctl.conf

In my case , after increasing that value from 65536 to 131072 , I haven’t seen above errors :)


Note: Only a member of this blog may post a comment.