Problem: ip_conntrack table full in CentOS
[root@sv ~]# cat /var/log/messages kernel: printk: 125 messages suppressed. kernel: ip_conntrack: CT 0: table full, dropping packet. kernel: printk: 99 messages suppressed. kernel: ip_conntrack: CT 0: table full, dropping packet. kernel: printk: 94 messages suppressed. ... [root@sv ~]#
#check max ip_conntrack
[root@sv ~]# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max 65536 [root@sv ~]#
or
[root@sv ~]# sysctl net.ipv4.netfilter.ip_conntrack_max net.ipv4.netfilter.ip_conntrack_max = 65536 [root@sv ~]#
#check ip_conntrack
[root@sv ~]# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count 65536 [root@sv ~]#
or
[root@sv ~]# wc -l /proc/net/ip_conntrack 65536 /proc/net/ip_conntrack [root@sv ~]#
Solutions: 1.Add max ip_conntrack / 2. Remove the tracking with iptables
1.add max ip_conntrack
[root@sv ~]# sysctl -w net.ipv4.netfilter.ip_conntrack_max=131072 net.ipv4.netfilter.ip_conntrack_max = 131072 [root@sv ~]#
or
[root@sv ~]# sysctl -w net.ipv4.netfilter.ip_conntrack_max=131072 net.ipv4.netfilter.ip_conntrack_max = 131072 [root@sv ~]# echo "net.ipv4.netfilter.ip_conntrack_max = 131072" >> /etc/sysctl.conf [root@sv ~]# /sbin/sysctl -p
*when You tried and found out that after server rebooted, ip_conntrack_max still use default value. Add the following in the /etc/rc.local file.
echo "net.ipv4.netfilter.ip_conntrack_max = 65535" >> /etc/sysctl.conf /sbin/sysctl -w /sbin/sysctl -p
2. remove the tracking with iptables
iptables -t raw -A PREROUTING -j NOTRACK iptables -t raw -A OUTPUT -j NOTRACK service iptables save
check ip_conntrack again.
Short link: http://taxze.com/?p=92
Canonical link: http://www.taxze.com/ip_conntrack-ct-0-table-full-dropping-packet/
Leave a Reply “ip_conntrack: CT 0: table full, dropping packet”