On Monday 2010-02-15 19:04, Afi Gjermund wrote: >>>> >>>> I am running into an odd issue where the kernel begins to drop packets >>>> because the connection tracking table is full. (I am running >>>> 2.6.26.5). >>>> >>>> A 'cat /proc/sys/net/netfilter/nf_conntrack_count' says 4096. But if >>>> I do a 'cat /proc/net/nf_conntrack | wc -l' then it says 4. >>> >>>Conntracks might exist and not be in the global table anymore, >>>f.i. when referenced by a packet. The difference in your case >>>seems pretty extreme, so I'd guess that packets are leaked >>>somewhere. >> >> So, that would make for 4092 expected connections then? >> >> Afi, what would `conntrack -L expect` give? (meant: conntrack -L expect | wc -l) >One thing to >note is, I have stopped any traffic flowing through the device, and >yet I am still receiving the kernel drop messages. Any change its >connection tracking on the loopback? ( I use the loopback for IPC ). Yes. conntrack does not care about what interface packets come in or go out on. Unless it's NOTRACKed, it's counted. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
