Alcazar01 kernel: nf conntrack: table full, dropping packet

De WikiEtl
Saltar a: navegación, buscar

Error de tabla llena de ip_conntrack o nf_conntack

Muestra errores de la siguiente forma:

Sep 25 07:35:24 alcazar01 kernel: nf_conntrack: table full, dropping packet.
Sep 25 07:35:27 alcazar01 last message repeated 9 times
Sep 25 07:35:29 alcazar01 kernel: printk: 24 messages suppressed.
Sep 25 07:35:29 alcazar01 kernel: nf_conntrack: table full, dropping packet.
Sep 25 07:35:35 alcazar01 kernel: printk: 26 messages suppressed.
Sep 25 07:35:35 alcazar01 kernel: nf_conntrack: table full, dropping packet.
Sep 25 07:35:39 alcazar01 kernel: printk: 24 messages suppressed.
Sep 25 07:35:39 alcazar01 kernel: nf_conntrack: table full, dropping packet.
Sep 25 07:54:00 alcazar01 kernel: printk: 23 messages suppressed.
Sep 25 07:54:00 alcazar01 kernel: nf_conntrack: table full, dropping packet.

Los efectos de son la pérdida de paquetes, debido a tener la tabla llena, en los segmentos 144, 168, 171 y 172.

Error tabla llena de "kernel: Neighbour table overflow"

Nov 12 13:36:57 alcazar01 kernel: Neighbour table overflow.
Nov 12 13:37:05 alcazar01 last message repeated 6 times
Nov 12 13:46:53 alcazar01 kernel: Neighbour table overflow.
Nov 12 13:47:54 alcazar01 last message repeated 13 times
Nov 12 13:47:59 alcazar01 last message repeated 6 times
Nov 12 13:48:04 alcazar01 kernel: printk: 2 messages suppressed.
Nov 12 13:48:04 alcazar01 kernel: Neighbour table overflow.
Nov 12 13:48:07 alcazar01 kernel: Neighbour table overflow.
Nov 12 13:48:22 alcazar01 kernel: printk: 2 messages suppressed.
Nov 12 13:48:22 alcazar01 kernel: Neighbour table overflow.
Nov 12 13:48:29 alcazar01 last message repeated 3 times
Nov 12 13:48:32 alcazar01 kernel: printk: 2 messages suppressed.
Nov 12 13:48:32 alcazar01 kernel: Neighbour table overflow.

Efecto de perdida de paquetes entre segmentos 144, 168, 171 y 172, referido al multicast.

Solución

Aumentan la tabla hash del conntrack del netfilter del kernel.

alcazar01:~# cat /etc/modprobe.conf
options nf_conntrack expect_hashsize=131072 hashsize=131072


Nota: En los kernel hasta el 2.6.19 el módulo es ip_conntrack hashsize=524288 a partir del 2.6.20 es nf_conntrack.

Aumentar las siguientes variables del kernel.

echo 256 > /proc/sys/net/ipv4/neigh/default/gc_thresh1 (128 por defecto)
echo 512 > /proc/sys/net/ipv4/neigh/default/gc_thresh2 (256 por defecto)
echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh3 (1024 por defecto)

Se puede añadir al fichero /etc/sysctl.conf

net.ipv4.neigh.default.gc_thresh1=512
net.ipv4.neigh.default.gc_thresh2=1024
net.ipv4.neigh.default.gc_thresh3=2048

--Rbravo 12:59 12 nov 2008 (UTC)