maxxle
2003-Feb-19 00:31 UTC
[Shorewall-users] Tons of "ip_conntract: table full, dropping packet"
Hi! I get a lot of messages: "ip_conntract: table full, dropping packet" on my console although I have disabled the logging information in /etc/shorewall/policy: LOG LEVEL ==> "-" Is there still another point where I can disable logging? maxxle
Cowles, Steve
2003-Feb-19 02:48 UTC
[Shorewall-users] Tons of "ip_conntract: table full, dropping packet"
> -----Original Message----- > From: maxxle@t-online.de > Sent: Wednesday, February 19, 2003 3:30 AM > Subject: [Shorewall-users] Tons of "ip_conntract: table full, dropping > packet" > > > Hi! > > I get a lot of messages: "ip_conntract: table full, dropping > packet" on my console although I have disabled the logging > information in /etc/shorewall/policy: LOG LEVEL ==> "-"First, I think you should try and figure out why your conntrack tables are filling up. Somethings not right.> Is there still another point where I can disable logging?Checkout: man dmesg -- In particular the -n option. Steve Cowles
Tom Eastep
2003-Feb-19 07:44 UTC
[Shorewall-users] Tons of "ip_conntract: table full, dropping packet"
Cowles, Steve wrote:> > > First, I think you should try and figure out why your conntrack tables are > filling up. Somethings not right.Definitely -- you may need to expand the size of the table (/proc/sys/net/ipv4/ip_conntrack_max).> > >>Is there still another point where I can disable logging? > > > Checkout: man dmesg -- In particular the -n option. >Also note that these are NOT Shorewall-related messages -- they are generated by the connection tracking facility in the kernel and Shorewall has no control over their generation. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Feb-19 12:45 UTC
[Shorewall-users] Tons of "ip_conntract: table full, dropping packet"
maxxle wrote:> Could you please tell me, how I can expand the size of this table? > /proc/sys/net/ipv4/ip_conntrack_max tells me 7168.The same way that you change ANY value in /proc/sys -- you can use the echo builtin to write the new value into the pseudo file. You need to arrange for that to happen each time that your system boots though. Under RedHat, you can do that by adding an entry to /etc/sysctl.conf.> > What can be the reason for this behavior?You are trying to track more than 7168 simultaneous connections OR you have asymmetric routing which is tying up a lot of connection tracking entries in the kernel or you are running some sort of braindead application.> Note: I have a edonkey-client running on the box (mldonkey)I don''t know what effect that has but I''m sure it isn''t good... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net