Anyone know how to make the iptables connection tracking table allocation larger?

I ask because I'm seeing this in my logs:

May 17 03:25:06 (none) kernel: nf_conntrack: table full, dropping packet.
May 17 03:25:08 (none) last message repeated 9 times
May 17 03:25:47 (none) last message repeated 8 times
May 17 03:26:29 (none) kernel: printk: 12 messages suppressed.
May 17 03:26:29 (none) kernel: nf_conntrack: table full, dropping packet.
May 17 03:26:29 (none) last message repeated 7 times
May 17 03:27:09 (none) kernel: printk: 1 messages suppressed.
May 17 03:27:09 (none) kernel: nf_conntrack: table full, dropping packet.
....

Is there some setting in /proc/sys that I can change? If it's a static
value and I have to recompile the kernel, please point me to which file
needs changing....

D. Stussy wrote:
> I ask because I'm seeing this in my logs:
>
> May 17 03:25:06 (none) kernel: nf_conntrack: table full, dropping packet.
> May 17 03:25:08 (none) last message repeated 9 times
> May 17 03:25:47 (none) last message repeated 8 times
> May 17 03:26:29 (none) kernel: printk: 12 messages suppressed.
> May 17 03:26:29 (none) kernel: nf_conntrack: table full, dropping packet.
> May 17 03:26:29 (none) last message repeated 7 times
> May 17 03:27:09 (none) kernel: printk: 1 messages suppressed.
> May 17 03:27:09 (none) kernel: nf_conntrack: table full, dropping packet.
> ...
>
> Is there some setting in /proc/sys that I can change? If it's a static
> value and I have to recompile the kernel, please point me to which file
> needs changing....
>
>

A little googling seems to indicate that /proc/sys/net/ipv4/ip_conntrack_max
contains the information. To change it to 8192 then

echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max


Larry

On May 17, 5:17*pm, "D. Stussy" <s...@bde-arc.ampr.org> wrote:
> I ask because I'm seeing this in my logs:
>
> May 17 03:25:06 (none) kernel: nf_conntrack: table full, dropping packet.
> May 17 03:25:08 (none) last message repeated 9 times
> May 17 03:25:47 (none) last message repeated 8 times
> May 17 03:26:29 (none) kernel: printk: 12 messages suppressed.
> May 17 03:26:29 (none) kernel: nf_conntrack: table full, dropping packet.
> May 17 03:26:29 (none) last message repeated 7 times
> May 17 03:27:09 (none) kernel: printk: 1 messages suppressed.
> May 17 03:27:09 (none) kernel: nf_conntrack: table full, dropping packet.
> ...
>
> Is there some setting in /proc/sys that I can change? *If it's a static
> value and I have to recompile the kernel, please point me to which file
> needs changing....

This drove me nuts, as it allows a very simple denial-of-service
attack, even if you raise the number. I eventually wrote a patch to
cause the system to *pass* a packet when the table is full rather than
drop it. Obviously, you don't want to do this if you use connection
tracking for security reasons rather than rate shaping or accounting
reasons.

DS

On Sun, 18 May 2008 01:06:06 GMT, Larry Finger <Larry.Finger@lwfinger.net> wrote:

>D. Stussy wrote:
>> I ask because I'm seeing this in my logs:
>>
>> May 17 03:25:06 (none) kernel: nf_conntrack: table full, dropping packet.
>> May 17 03:25:08 (none) last message repeated 9 times
>> May 17 03:25:47 (none) last message repeated 8 times
>> May 17 03:26:29 (none) kernel: printk: 12 messages suppressed.
>> May 17 03:26:29 (none) kernel: nf_conntrack: table full, dropping packet.
>> May 17 03:26:29 (none) last message repeated 7 times
>> May 17 03:27:09 (none) kernel: printk: 1 messages suppressed.
>> May 17 03:27:09 (none) kernel: nf_conntrack: table full, dropping packet.
>> ...
>>
>> Is there some setting in /proc/sys that I can change? If it's a static
>> value and I have to recompile the kernel, please point me to which file
>> needs changing....
>>
>>
>
>A little googling seems to indicate that /proc/sys/net/ipv4/ip_conntrack_max
>contains the information. To change it to 8192 then
>
>echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max

Um, you seem to be out of date? I have default value:

~$ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
16384

with:
~$ uname -r
2.6.24.7a

Grant.
--
http://bugsplatter.mine.nu/

Grant wrote:
> On Sun, 18 May 2008 01:06:06 GMT, Larry Finger <Larry.Finger@lwfinger.net> wrote:
>
>> D. Stussy wrote:
>>> I ask because I'm seeing this in my logs:
>>>
>>> May 17 03:25:06 (none) kernel: nf_conntrack: table full, dropping packet.
>>> May 17 03:25:08 (none) last message repeated 9 times
>>> May 17 03:25:47 (none) last message repeated 8 times
>>> May 17 03:26:29 (none) kernel: printk: 12 messages suppressed.
>>> May 17 03:26:29 (none) kernel: nf_conntrack: table full, dropping packet.
>>> May 17 03:26:29 (none) last message repeated 7 times
>>> May 17 03:27:09 (none) kernel: printk: 1 messages suppressed.
>>> May 17 03:27:09 (none) kernel: nf_conntrack: table full, dropping packet.
>>> ...
>>>
>>> Is there some setting in /proc/sys that I can change? If it's a static
>>> value and I have to recompile the kernel, please point me to which file
>>> needs changing....
>>>
>>>
>> A little googling seems to indicate that /proc/sys/net/ipv4/ip_conntrack_max
>> contains the information. To change it to 8192 then
>>
>> echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max
>
> Um, you seem to be out of date? I have default value:
>
> ~$ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
> 16384
>
> with:
> ~$ uname -r
> 2.6.24.7a

It is memory dependent and set dynamically at boot time. I just gave an
example. BTW, the documentation says that there will be ~350 byles of
non-paged kernel memory for each allowed connection.

Larry

"Grant" <g_r_a_n_t_@dodo.com.au> wrote in message
news:ricv24h2unolaf7804ttsmlg8nuq8uibiq@4ax.com...
> On Sun, 18 May 2008 01:06:06 GMT, Larry Finger <Larry.Finger@lwfinger.net>
wrote:
> >D. Stussy wrote:
> >> I ask because I'm seeing this in my logs:
> >>
> >> May 17 03:25:06 (none) kernel: nf_conntrack: table full, dropping
packet.
> >> May 17 03:25:08 (none) last message repeated 9 times
> >> May 17 03:25:47 (none) last message repeated 8 times
> >> May 17 03:26:29 (none) kernel: printk: 12 messages suppressed.
> >> May 17 03:26:29 (none) kernel: nf_conntrack: table full, dropping
packet.
> >> May 17 03:26:29 (none) last message repeated 7 times
> >> May 17 03:27:09 (none) kernel: printk: 1 messages suppressed.
> >> May 17 03:27:09 (none) kernel: nf_conntrack: table full, dropping
packet.
> >> ...
> >>
> >> Is there some setting in /proc/sys that I can change? If it's a static
> >> value and I have to recompile the kernel, please point me to which file
> >> needs changing....
> >
> >A little googling seems to indicate that
/proc/sys/net/ipv4/ip_conntrack_max
> >contains the information. To change it to 8192 then
> >
> >echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max
>
> Um, you seem to be out of date? I have default value:
>
> ~$ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
> 16384
>
> with:
> ~$ uname -r
> 2.6.24.7a

Thank you. Now that I know where to look, I checked and saw this:

$ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
65536

Do I already have a maximal value? I guess not, because I was able to set
it to 131072 successfully. However, if internally, a short integer (16
bits) is used, then that won't make a difference. I'm using kernel version
2.6.25.4 - so maybe the defaults are larger.

Hello,

D. Stussy a écrit :
>
> $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
> 65536
>
> Do I already have a maximal value? I guess not, because I was able to set
> it to 131072 successfully. However, if internally, a short integer (16
> bits) is used, then that won't make a difference.

ip_conntrack_max is an int. 65536 (2^16) would not fit in a short int.

"Pascal Hambourg" <boite-a-spam@plouf.fr.eu.org> wrote in message
news:g0q4b0$1c0q$1@biggoron.nerim.net...
> Hello,
>
> D. Stussy a écrit :
> >
> > $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
> > 65536
> >
> > Do I already have a maximal value? I guess not, because I was able to
set
> > it to 131072 successfully. However, if internally, a short integer (16
> > bits) is used, then that won't make a difference.
>
> ip_conntrack_max is an int. 65536 (2^16) would not fit in a short int.

That depends on implementation. It's quite possible that such means all
values 0-65535 are in use (so it actually prints the top value +1). This is
a "border value" and therefore suspect. One could still be using a short
int to do indexing into an associative array. That also means that although
it allowed me to set a larger value, that value might not be honored over a
pre-compiled limit.

D. Stussy wrote:
>
> That depends on implementation. It's quite possible that such means all
> values 0-65535 are in use (so it actually prints the top value +1). This is
> a "border value" and therefore suspect. One could still be using a short
> int to do indexing into an associative array. That also means that although
> it allowed me to set a larger value, that value might not be honored over a
> pre-compiled limit.

In include/net/netfilter/nf_conntrack.h, one finds

extern int nf_conntrack_max


It is a 32-bit integer. As it is signed, you will be limited to roughly 2
billion connections, but I doubt you have that much RAM. ;)

Larry