* 2.4.20-pre7: ip_conntrack: table full, dropping packet.
@ 2002-10-21 18:16 Stephan von Krawczynski
2002-10-21 21:55 ` Harald Welte
0 siblings, 1 reply; 3+ messages in thread
From: Stephan von Krawczynski @ 2002-10-21 18:16 UTC (permalink / raw
To: linux-kernel; +Cc: laforge, Rusty Russell
Hello all,
After several days running kernel 2.4.20-pre7 I came across the syslogged
message:
kernel: ip_conntrack: table full, dropping packet.
This box runs about 10 rules for destination nat. My simple question: is this a
bug, or a need to tune something? If it is a bug, is there a later kernel that
has it fixed?
--
Regards,
Stephan
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: 2.4.20-pre7: ip_conntrack: table full, dropping packet.
2002-10-21 18:16 2.4.20-pre7: ip_conntrack: table full, dropping packet Stephan von Krawczynski
@ 2002-10-21 21:55 ` Harald Welte
2002-10-23 0:15 ` Andrew Smith
0 siblings, 1 reply; 3+ messages in thread
From: Harald Welte @ 2002-10-21 21:55 UTC (permalink / raw
To: Stephan von Krawczynski
Cc: linux-kernel, Rusty Russell, Netfilter Mailinglist
On Mon, Oct 21, 2002 at 08:16:44PM +0200, Stephan von Krawczynski wrote:
> Hello all,
Hi Stephan. Don't know if you remember me, but we've met at some IN e.V.
meetings in the past ;)
> After several days running kernel 2.4.20-pre7 I came across the syslogged
> message:
>
> kernel: ip_conntrack: table full, dropping packet.
>
> This box runs about 10 rules for destination nat. My simple question:
> is this a bug, or a need to tune something? If it is a bug, is there a
> later kernel that has it fixed?
it's not about the number of NAT rules, but the number of connections
going on through your machine.
the FAQ (to be found at www.netfilter.org) describes how to raise the
number of connection tracking table entries.
> Regards,
> Stephan
--
Live long and prosper
- Harald Welte / laforge@gnumonks.org http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M-
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: 2.4.20-pre7: ip_conntrack: table full, dropping packet.
2002-10-21 21:55 ` Harald Welte
@ 2002-10-23 0:15 ` Andrew Smith
0 siblings, 0 replies; 3+ messages in thread
From: Andrew Smith @ 2002-10-23 0:15 UTC (permalink / raw
To: netfilter
> On Mon, Oct 21, 2002 at 08:16:44PM +0200, Stephan von Krawczynski
> wrote:
>> Hello all,
>
> Hi Stephan. Don't know if you remember me, but we've met at some IN
> e.V. meetings in the past ;)
>
>> After several days running kernel 2.4.20-pre7 I came across the
>> syslogged message:
>>
>> kernel: ip_conntrack: table full, dropping packet.
>>
>> This box runs about 10 rules for destination nat. My simple question:
>> is this a bug, or a need to tune something? If it is a bug, is there a
>> later kernel that has it fixed?
>
> it's not about the number of NAT rules, but the number of connections
> going on through your machine.
>
> the FAQ (to be found at www.netfilter.org) describes how to raise the
> number of connection tracking table entries.
Stephan,
The problem is that you will need to effectively allocate more memory
to iptables (increase the size of ip_conntrack_max)
If that is a problem, then you fall into a well known and much ignored
issue with iptables - connection timeout - that according to the
developers, is set to a value that will handle all possible networks
But funnily enough, as in your case, that isn't true, you must be
doing something wrong :-) :-) :-) like me :-)
Either increase ip_conntrack_max or modify the timeout constant for all
connections and recompile ...
It would be good to be able to shorten the timeout for certain
services, but alas that won't happen unless you code/patch each release
yourself.
>> Regards,
>> Stephan
--
-Cheers
-Andrew
MS ... if only he hadn't been hang gliding!
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2002-10-23 0:15 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-10-21 18:16 2.4.20-pre7: ip_conntrack: table full, dropping packet Stephan von Krawczynski
2002-10-21 21:55 ` Harald Welte
2002-10-23 0:15 ` Andrew Smith
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.