On May 17, 5:17*pm, "D. Stussy" <s...@bde-arc.ampr.org> wrote:
> I ask because I'm seeing this in my logs:
>
> May 17 03:25:06 (none) kernel: nf_conntrack: table full, dropping packet.
> May 17 03:25:08 (none) last message repeated 9 times
> May 17 03:25:47 (none) last message repeated 8 times
> May 17 03:26:29 (none) kernel: printk: 12 messages suppressed.
> May 17 03:26:29 (none) kernel: nf_conntrack: table full, dropping packet.
> May 17 03:26:29 (none) last message repeated 7 times
> May 17 03:27:09 (none) kernel: printk: 1 messages suppressed.
> May 17 03:27:09 (none) kernel: nf_conntrack: table full, dropping packet.
> ...
>
> Is there some setting in /proc/sys that I can change? *If it's a static
> value and I have to recompile the kernel, please point me to which file
> needs changing....

This drove me nuts, as it allows a very simple denial-of-service
attack, even if you raise the number. I eventually wrote a patch to
cause the system to *pass* a packet when the table is full rather than
drop it. Obviously, you don't want to do this if you use connection
tracking for security reasons rather than rate shaping or accounting
reasons.

DS