Matt Zagrabelny <mzagrabe@xxxxxxxxx> wrote: > On Tue, Oct 29, 2024 at 10:48 AM Slavko <linux@xxxxxxxxxx> wrote: > > > > Dňa 29. októbra 2024 15:11:34 UTC používateľ Matt Zagrabelny <mzagrabe@xxxxxxxxx> napísal: > > > > >...but it is still dropping packets due to the CT. > > > > You have first to inspect what is filling your conntrack table: > > > > conntrack -L > > I've waited a week to let the TCP streams in the conntrack table time > out. I'm still seeing the kernel drop packets: conntrack -F not working? > # tail -f /var/log/kern.log > Nov 6 11:29:02 netadm kernel: [48773744.961053] nf_conntrack: table > full, dropping packet. > > ...and confirmed with /proc: > > # cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count > 65536 > > ...but there aren't that many flows in the conntrack table, and none > in the expect table. > > # conntrack -L > /dev/null > conntrack v1.2.1 (conntrack-tools): 22 flow entries have been shown. Depending on userspace/kernel version this may only list ipv4. > Any idea where to find what is still causing the kernel to drop packets? > > I still need to handle the INVALID state, but here is my current rule-set: > > # Generated by iptables-save v1.4.14 on Wed Nov 6 11:40:00 2024 > *raw > :PREROUTING ACCEPT [559078817:46637850935] > :OUTPUT ACCEPT [539455981:114717831525] > [311121010:22258566347] -A PREROUTING -p udp -m udp --dport 53 -j CT --notrack > [82158007:15791189816] -A PREROUTING -p udp -m udp --sport 53 -j CT --notrack > [160638557:7854716900] -A PREROUTING -p tcp -m tcp --dport 53 -j CT --notrack > [55174:13694242] -A PREROUTING -p tcp -m tcp --sport 53 -j CT --notrack > [82898530:7187312985] -A OUTPUT -p udp -m udp --dport 53 -j CT --notrack > [310815684:92319143568] -A OUTPUT -p udp -m udp --sport 53 -j CT --notrack > [81356:4991618] -A OUTPUT -p tcp -m tcp --dport 53 -j CT --notrack > [134221259:13321766219] -A OUTPUT -p tcp -m tcp --sport 53 -j CT --notrack > COMMIT Is this an ipv4 only system?