Re: connection tracking and kernel dropping packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Florian,


On Sun, Nov 10, 2024 at 3:48 PM Florian Westphal <fw@xxxxxxxxx> wrote:
>
> Matt Zagrabelny <mzagrabe@xxxxxxxxx> wrote:
> > On Tue, Oct 29, 2024 at 10:48 AM Slavko <linux@xxxxxxxxxx> wrote:
> > >
> > > Dňa 29. októbra 2024 15:11:34 UTC používateľ Matt Zagrabelny <mzagrabe@xxxxxxxxx> napísal:
> > >
> > > >...but it is still dropping packets due to the CT.
> > >
> > > You have first to inspect what is filling your conntrack table:
> > >
> > >     conntrack -L
> >
> > I've waited a week to let the TCP streams in the conntrack table time
> > out. I'm still seeing the kernel drop packets:
>
> conntrack -F not working?

I didn't know about it. Just tried it. Seemed to work.

>
> > # tail -f /var/log/kern.log
> > Nov  6 11:29:02 netadm kernel: [48773744.961053] nf_conntrack: table
> > full, dropping packet.
> >
> > ...and confirmed with /proc:
> >
> > # cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
> > 65536
> >
> > ...but there aren't that many flows in the conntrack table, and none
> > in the expect table.
> >
> > # conntrack -L > /dev/null
> > conntrack v1.2.1 (conntrack-tools): 22 flow entries have been shown.
>
> Depending on userspace/kernel version this may only list ipv4.

Ahh...

>
> > Any idea where to find what is still causing the kernel to drop packets?
> >
> > I still need to handle the INVALID state, but here is my current rule-set:
> >
> > # Generated by iptables-save v1.4.14 on Wed Nov  6 11:40:00 2024
> > *raw
> > :PREROUTING ACCEPT [559078817:46637850935]
> > :OUTPUT ACCEPT [539455981:114717831525]
> > [311121010:22258566347] -A PREROUTING -p udp -m udp --dport 53 -j CT --notrack
> > [82158007:15791189816] -A PREROUTING -p udp -m udp --sport 53 -j CT --notrack
> > [160638557:7854716900] -A PREROUTING -p tcp -m tcp --dport 53 -j CT --notrack
> > [55174:13694242] -A PREROUTING -p tcp -m tcp --sport 53 -j CT --notrack
> > [82898530:7187312985] -A OUTPUT -p udp -m udp --dport 53 -j CT --notrack
> > [310815684:92319143568] -A OUTPUT -p udp -m udp --sport 53 -j CT --notrack
> > [81356:4991618] -A OUTPUT -p tcp -m tcp --dport 53 -j CT --notrack
> > [134221259:13321766219] -A OUTPUT -p tcp -m tcp --sport 53 -j CT --notrack
> > COMMIT
>
> Is this an ipv4 only system?

Nope. Dual-homed. Thanks for the reminder. I've added the
corresponding "notrack" rules to the v6 side.

Thanks again for the help!

-m





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux