Re: connection tracking and kernel dropping packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 29 Oct 2024, at 3:11 PM, Matt Zagrabelny wrote:
> Hello,
>
> The kernel of my DNS server is dropping packets:
>
> kernel: [48074703.302657] nf_conntrack: table full, dropping packet.
>
> I've followed this knowledge base article:
>
> https://kb.isc.org/docs/aa-01183
>
> for configuring iptables to not track the connections of DNS packets.
>
> ...but it is still dropping packets due to the CT.
>
> I know I could bump the conntrack memory, but I'd still like to know
> why my iptables rules aren't sufficient for not dropping DNS packets.
>
> I'm running Linux 3.2.0-4-amd64
>
> Here are my iptables rules:
>
> # iptables -vnL -t raw
> Chain PREROUTING (policy ACCEPT 24M packets, 2112M bytes)
>  pkts bytes target     prot opt in     out     source               destination
>   16M 1153M CT         udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            udp dpt:53 CT notrack
> 3723K  701M CT         udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            udp spt:53 CT notrack
>
> Chain OUTPUT (policy ACCEPT 24M packets, 5436M bytes)
>  pkts bytes target     prot opt in     out     source               destination
> 3760K  327M CT         udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            udp dpt:53 CT notrack
>   16M 4680M CT         udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            udp spt:53 CT notrack
>
> # iptables -vnL
> Chain INPUT (policy DROP 45173 packets, 2842K bytes)
>  pkts bytes target     prot opt in     out     source               destination
>   23M 2065M ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            ctstate RELATED,ESTABLISHED,UNTRACKED
>    11   804 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
>     4   284 ACCEPT     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            udp dpt:53
>  709K   37M ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:53
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>
> Chain OUTPUT (policy ACCEPT 24M packets, 5439M bytes)
>  pkts bytes target     prot opt in     out     source               destination
>
> Any ideas what I'm missing?

Please use iptables-save -c for dumping rulesets.

You can inspect the contents of the conntrack table by using the conntrack(8) utility from conntrack-tools and, in so doing, better understand the manner in which it comes to be full.

By default, TCP sessions that aren't formally ended can occupy a conntrack table entry for up to a week, per the value of the "net.netfilter.nf_conntrack_tcp_timeout_established" sysctl. Also, "net.nf_conntrack_max" can be used to increase the maximum number of entries. There is nothing wrong with tuning these controls in accordance with your workload, if needs be.

Incidentally, your ruleset allows for packets classified as INVALID to traverse the INPUT chain in full, which isn't advisable. As was discussed recently, either contend with INVALID packets up front or additionally match on the NEW state for subsequent rules, where appropriate.

Finally, you might consider whether you need bother using iptables at all, since this ruleset doesn't appear to be doing a great deal. Are you trying to limit the exposure of other network services that this host is running? If so, binding them to a particular address may be an option. Further, there are various scenarios in which connection tracking isn't necessarily useful, in which case one is certainly not obliged to use it. That your host isn't tasked with forwarding packets indicates that you should at least ponder upon this.

-- 
Kerin Millar




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux