Re: connection tracking and kernel dropping packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Matt Zagrabelny <mzagrabe@xxxxxxxxx> wrote:
> On Tue, Oct 29, 2024 at 10:48 AM Slavko <linux@xxxxxxxxxx> wrote:
> >
> > Dňa 29. októbra 2024 15:11:34 UTC používateľ Matt Zagrabelny <mzagrabe@xxxxxxxxx> napísal:
> >
> > >...but it is still dropping packets due to the CT.
> >
> > You have first to inspect what is filling your conntrack table:
> >
> >     conntrack -L
> 
> I've waited a week to let the TCP streams in the conntrack table time
> out. I'm still seeing the kernel drop packets:

conntrack -F not working?

> # tail -f /var/log/kern.log
> Nov  6 11:29:02 netadm kernel: [48773744.961053] nf_conntrack: table
> full, dropping packet.
> 
> ...and confirmed with /proc:
> 
> # cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
> 65536
> 
> ...but there aren't that many flows in the conntrack table, and none
> in the expect table.
> 
> # conntrack -L > /dev/null
> conntrack v1.2.1 (conntrack-tools): 22 flow entries have been shown.

Depending on userspace/kernel version this may only list ipv4.

> Any idea where to find what is still causing the kernel to drop packets?
> 
> I still need to handle the INVALID state, but here is my current rule-set:
> 
> # Generated by iptables-save v1.4.14 on Wed Nov  6 11:40:00 2024
> *raw
> :PREROUTING ACCEPT [559078817:46637850935]
> :OUTPUT ACCEPT [539455981:114717831525]
> [311121010:22258566347] -A PREROUTING -p udp -m udp --dport 53 -j CT --notrack
> [82158007:15791189816] -A PREROUTING -p udp -m udp --sport 53 -j CT --notrack
> [160638557:7854716900] -A PREROUTING -p tcp -m tcp --dport 53 -j CT --notrack
> [55174:13694242] -A PREROUTING -p tcp -m tcp --sport 53 -j CT --notrack
> [82898530:7187312985] -A OUTPUT -p udp -m udp --dport 53 -j CT --notrack
> [310815684:92319143568] -A OUTPUT -p udp -m udp --sport 53 -j CT --notrack
> [81356:4991618] -A OUTPUT -p tcp -m tcp --dport 53 -j CT --notrack
> [134221259:13321766219] -A OUTPUT -p tcp -m tcp --sport 53 -j CT --notrack
> COMMIT

Is this an ipv4 only system?




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux