Re: connection tracking and kernel dropping packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Greetings...

On Tue, Oct 29, 2024 at 10:48 AM Slavko <linux@xxxxxxxxxx> wrote:
>
> Dňa 29. októbra 2024 15:11:34 UTC používateľ Matt Zagrabelny <mzagrabe@xxxxxxxxx> napísal:
>
> >...but it is still dropping packets due to the CT.
>
> You have first to inspect what is filling your conntrack table:
>
>     conntrack -L

I've waited a week to let the TCP streams in the conntrack table time
out. I'm still seeing the kernel drop packets:

# tail -f /var/log/kern.log
Nov  6 11:29:02 netadm kernel: [48773744.961053] nf_conntrack: table
full, dropping packet.

...and confirmed with /proc:

# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
65536

...but there aren't that many flows in the conntrack table, and none
in the expect table.

# conntrack -L > /dev/null
conntrack v1.2.1 (conntrack-tools): 22 flow entries have been shown.

# conntrack -L expect
conntrack v1.2.1 (conntrack-tools): 0 expectations have been shown.

Any idea where to find what is still causing the kernel to drop packets?

I still need to handle the INVALID state, but here is my current rule-set:

# Generated by iptables-save v1.4.14 on Wed Nov  6 11:40:00 2024
*raw
:PREROUTING ACCEPT [559078817:46637850935]
:OUTPUT ACCEPT [539455981:114717831525]
[311121010:22258566347] -A PREROUTING -p udp -m udp --dport 53 -j CT --notrack
[82158007:15791189816] -A PREROUTING -p udp -m udp --sport 53 -j CT --notrack
[160638557:7854716900] -A PREROUTING -p tcp -m tcp --dport 53 -j CT --notrack
[55174:13694242] -A PREROUTING -p tcp -m tcp --sport 53 -j CT --notrack
[82898530:7187312985] -A OUTPUT -p udp -m udp --dport 53 -j CT --notrack
[310815684:92319143568] -A OUTPUT -p udp -m udp --sport 53 -j CT --notrack
[81356:4991618] -A OUTPUT -p tcp -m tcp --dport 53 -j CT --notrack
[134221259:13321766219] -A OUTPUT -p tcp -m tcp --sport 53 -j CT --notrack
COMMIT
# Completed on Wed Nov  6 11:40:00 2024
# Generated by iptables-save v1.4.14 on Wed Nov  6 11:40:00 2024
*nat
:PREROUTING ACCEPT [2196269:120347484]
:INPUT ACCEPT [1191964:55756667]
:OUTPUT ACCEPT [43401:4029238]
:POSTROUTING ACCEPT [43401:4029238]
COMMIT
# Completed on Wed Nov  6 11:40:00 2024
# Generated by iptables-save v1.4.14 on Wed Nov  6 11:40:00 2024
*mangle
:PREROUTING ACCEPT [559078013:46637808723]
:INPUT ACCEPT [559078013:46637808723]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [539456018:114717838594]
:POSTROUTING ACCEPT [539456018:114717838594]
COMMIT
# Completed on Wed Nov  6 11:40:00 2024
# Generated by iptables-save v1.4.14 on Wed Nov  6 11:40:00 2024
*filter
:INPUT DROP [1028561:66625259]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [539455943:114717822181]
[555959622:46411126809] -A INPUT -m conntrack --ctstate
RELATED,ESTABLISHED,UNTRACKED -j ACCEPT
[158:11928] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -s 10.101.0.0/16 -p icmp -j ACCEPT
[1283248:91447747] -A INPUT -s 10.212.0.0/16 -p icmp -j ACCEPT
[0:0] -A INPUT -s 10.84.0.0/16 -p icmp -j ACCEPT
[23101:2217696] -A INPUT -s 10.57.0.0/16 -p icmp -j ACCEPT
[0:0] -A INPUT -s 10.94.0.0/16 -p icmp -j ACCEPT
[0:0] -A INPUT -s 127.0.0.0/8 -p icmp -j ACCEPT
[767154:60545933] -A INPUT -s 10.0.0.0/8 -p icmp -j ACCEPT
[0:0] -A INPUT -s 172.16.0.0/12 -p icmp -j ACCEPT
[12243:5597503] -A INPUT -s 192.168.0.0/16 -p icmp -j ACCEPT
[0:0] -A INPUT -s 100.64.0.0/10 -p icmp -j ACCEPT
[3:243] -A INPUT -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A INPUT -s 10.212.109.49/32 -p tcp -m tcp --dport 8139 -j ACCEPT
[3888:233280] -A INPUT -s 10.212.0.0/17 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -s 10.212.128.0/18 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -s 10.212.192.0/19 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -s 10.0.0.0/8 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -s 172.16.0.0/12 -p tcp -m tcp --dport 22 -j ACCEPT
[8:416] -A INPUT -s 192.168.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -s 100.72.0.0/15 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -s 10.94.202.160/27 -p icmp -j ACCEPT
COMMIT
# Completed on Wed Nov  6 11:40:00 2024

Thanks for any help!

-m





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux