Hi Florian, On Sun, Nov 10, 2024 at 3:48 PM Florian Westphal <fw@xxxxxxxxx> wrote: > > Matt Zagrabelny <mzagrabe@xxxxxxxxx> wrote: > > On Tue, Oct 29, 2024 at 10:48 AM Slavko <linux@xxxxxxxxxx> wrote: > > > > > > Dňa 29. októbra 2024 15:11:34 UTC používateľ Matt Zagrabelny <mzagrabe@xxxxxxxxx> napísal: > > > > > > >...but it is still dropping packets due to the CT. > > > > > > You have first to inspect what is filling your conntrack table: > > > > > > conntrack -L > > > > I've waited a week to let the TCP streams in the conntrack table time > > out. I'm still seeing the kernel drop packets: > > conntrack -F not working? I didn't know about it. Just tried it. Seemed to work. > > > # tail -f /var/log/kern.log > > Nov 6 11:29:02 netadm kernel: [48773744.961053] nf_conntrack: table > > full, dropping packet. > > > > ...and confirmed with /proc: > > > > # cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count > > 65536 > > > > ...but there aren't that many flows in the conntrack table, and none > > in the expect table. > > > > # conntrack -L > /dev/null > > conntrack v1.2.1 (conntrack-tools): 22 flow entries have been shown. > > Depending on userspace/kernel version this may only list ipv4. Ahh... > > > Any idea where to find what is still causing the kernel to drop packets? > > > > I still need to handle the INVALID state, but here is my current rule-set: > > > > # Generated by iptables-save v1.4.14 on Wed Nov 6 11:40:00 2024 > > *raw > > :PREROUTING ACCEPT [559078817:46637850935] > > :OUTPUT ACCEPT [539455981:114717831525] > > [311121010:22258566347] -A PREROUTING -p udp -m udp --dport 53 -j CT --notrack > > [82158007:15791189816] -A PREROUTING -p udp -m udp --sport 53 -j CT --notrack > > [160638557:7854716900] -A PREROUTING -p tcp -m tcp --dport 53 -j CT --notrack > > [55174:13694242] -A PREROUTING -p tcp -m tcp --sport 53 -j CT --notrack > > [82898530:7187312985] -A OUTPUT -p udp -m udp --dport 53 -j CT --notrack > > [310815684:92319143568] -A OUTPUT -p udp -m udp --sport 53 -j CT --notrack > > [81356:4991618] -A OUTPUT -p tcp -m tcp --dport 53 -j CT --notrack > > [134221259:13321766219] -A OUTPUT -p tcp -m tcp --sport 53 -j CT --notrack > > COMMIT > > Is this an ipv4 only system? Nope. Dual-homed. Thanks for the reminder. I've added the corresponding "notrack" rules to the v6 side. Thanks again for the help! -m