lost and found ( for me ? )

kernel error : nf_conntrack: table full, dropping packet.


# tail -1 /etc/lsb-release
DISTRIB_DESCRIPTION="Ubuntu 10.10"

# uname -a
2.6.35-25-server #44-Ubuntu SMP Fri Jan 21 19:09:14 UTC 2011 x86_64 GNU/Linux


I saw the following errors on my DNS Server runnning unbound.

/var/log/message
kernel: [96324.941657] nf_conntrack: table full, dropping packet.

or you can also see same messages via dmesg
# dmesg | tail -1
[96324.941657] nf_conntrack: table full, dropping packet.


This seems to be caused by a full “iptables connection_table” due to DDoS , a huge amount of traffic.
You may solve this by increasing “ip_conntrack_max” if you have enough Memory available.

the default value is:
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
65536


This value is 32bit integer.

increase this value w/ sysctl command
# sysctl -w net.netfilter.nf_conntrack_max=131072
net.netfilter.nf_conntrack_max = 131072


or edit sysctl.conf to reflect permanently
# egrep conntrack /etc/sysctl.conf
net.netfilter.nf_conntrack_max=131072


In my case , after increasing that value from 65536 to 131072 , I haven’t seen above errors :)

2 comments:

Note: Only a member of this blog may post a comment.