On Mon, Feb 15, 2010 at 9:46 AM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: > > On Monday 2010-02-15 18:29, Patrick McHardy wrote: >>Afi Gjermund wrote: >>> >>> I am running into an odd issue where the kernel begins to drop packets >>> because the connection tracking table is full. (I am running >>> 2.6.26.5). >>> >>> A 'cat /proc/sys/net/netfilter/nf_conntrack_count' says 4096. But if >>> I do a 'cat /proc/net/nf_conntrack | wc -l' then it says 4. >> >>Conntracks might exist and not be in the global table anymore, >>f.i. when referenced by a packet. The difference in your case >>seems pretty extreme, so I'd guess that packets are leaked >>somewhere. > > So, that would make for 4092 expected connections then? > > Afi, what would `conntrack -L expect` give? > Jan, I am running this on an embedded system and will have to cross-compile the userspace tools and get back to you. One thing to note is, I have stopped any traffic flowing through the device, and yet I am still receiving the kernel drop messages. Any change its connection tracking on the loopback? ( I use the loopback for IPC ). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
