Shulou(Shulou.com)06/01 Report--

This article is to share with you about the solutions to full and lost packets in CentOS ip_conntrack. The editor thinks it is very practical, so I share it with you to learn. I hope you can gain something after reading this article.

So, why is there ip_conntrack: table full, dropping packet? Iptables uses a connection tracking table to describe the connection status, and when the table is full, the information is written in the log. This may be a little difficult to understand, so under what circumstances do we need to look up this record in the log?

When you find that the PING server results in packet loss, or delay instability, ups and downs, after excluding the line factor, you should consider ip_conntrack: table full, dropping packet.

The following describes the solution to ip_conntrack: table full, dropping packet:

Solutions under CentOS 6 / RHEL 5:

1. Running

The code is as follows:

Sysctl-w net.ipv4.netfilter.ip_conntrack_max=100000.sysctl-w net.ipv4.netfilter.ip_conntrack_max=100000

two。 Add in / etc/sysctl:

The code is as follows:

Net.ipv4.netfilter.ip_conntrack_max = 100000.net.ipv4.netfilter.ip_conntrack_max = 100000

3. To make it effective:

The code is as follows:

Sysctl-p.sysctl-p

Solutions under CentOS 6 / RHEL 6:

1. Running

The code is as follows:

Sysctl-w net.nf_conntrack_max=100000.sysctl-w net.nf_conntrack_max=100000

two。 Add in / etc/sysctl:

The code is as follows:

Net.nf_conntrack_max = 100000.net.nf_conntrack_max = 100000

3. To make it effective:

The code is as follows:

Sysctl-p.sysctl-p

* if sporadic packet loss occurs in Xen DomU or PING goes up and down, and ping is normal after iptables is disabled, this is probably the problem.

Or refer to the following method to try

one. A large number of packets have been lost on the server. The following error occurred by checking message:

Kernel:ip_conntrack:table full,dropping packet

The solution:

The code is as follows:

Displays the current number of sessions:

Cat / proc/net/ip_conntrack | wc-l

Displays the maximum number of conntrack currently configured by the system:

Cat / proc/sys/net/ipv4/ip_conntrack_max

# once the number of the former is greater than the latter, the system will report an error, the solution:

Echo "" > / proc/sys/net/ipv4/ip_conntrack_max

# and then write

/ etc/sysctl.conf

Net.ipv4.ip_conntrack_max =

two

There are two points we should pay attention to.

-maximum number of conntrack. It's called conntrack_max.

-the size of the hash table that stores these conntrack, called hashsize

When the number of conntrack entries is greater than conntrack_max, the storage entries in each conntrack list in the hash table will be uncontrollable. (conntrack_mark/hashsize is the number of entries that each list can store.)

The hash table exists in fixed non-swap memory. Conntrack_mark decides how much of this non-swap memory is used.

Default hashsize

--

Conntrack_max=hashsize*8

Hashsize=conntrack_max/8=ramsize (in bytes) / 131072=ramsize (in MegaBytes) * 8 in i386.

So 32-bit pc,512M memory can store 512 * 1024 ^ 2 / 128 take 1024 "512" 8" 4096 (connection pool list).

But the correct algorithm is:

Hashsize=conntrack_max/8=ramsize (in bytes) / 131072 / (xUnix 32)

X indicates whether the pointer type used (32-bit or 64)

--\

Read conntrack_ max value

2.4 Kernel

Cat / proc/sys/net/ipv4/ip_conntrack_max

2.6 kernel

Cat / proc/sys/net/ipv4/netfilter/ip_conntrack_max

Read hashsize value

Cat / proc/sys/net/ipv4/netfilter/ip_conntrack_buckets

-

You can modify these two values to adapt to high-load netfilter applications.

The system defaults to conntrack_max:hashsize at 8:1, you can set it to 1:1 to improve performance.

--

Set up conntrack_max

Echo $CONNTRACK_MAX > / proc/sys/net/ipv4/ip_conntrack_max

Set up hashsize

If (netfilter conntrack is statically compiled in the kernel), 2.4can be set at compile time, and 2.6can be added ip_conntrack.hashsize=$hashsize at startup (when boot)

If modules, you can use modprobe ip_conntrack hashsize=$hashsize

# #

Have practiced the method:

Vi / etc/modprobe.conf

Add:

Options ip_conntrack hashsize=524288

Vi / etc/sysctl.conf

Net.ipv4.netfilter.ip_conntrack_max = 524288 (calculated based on your own physical memory)

Net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180

# #

--

Memory calculation used by conntrack

Size_of_mem_used_by_conntrack (in bytes) =

CONNTRACK_MAX * sizeof (struct ip_conntrack) +

HASHSIZE * sizeof (struct list_head)

Among them, sizeof (struct ip_conntrack) is about 192-352 bytes.

Sizeof (struct list_head) = 2 * size_of_a_pointer (4 bytes in i386)

An example is 512m of memory, using 384m for conntrack.

384-1024-1024 / (352-8) (using it is a conservative calculation) = ~ 1143901 (this is conntrack:hashszie is 1 conntrack:hashszie 1352 is sizeof (ip_conntrack), 8 is sizeof (list_head).

Since hash is preferably set to the power of 2, it is 1048576 (2 ^ 20).

-

Attach relevant settings and commands:

Ip_conntrack timeout original value of 432000 seconds (5 days)

Can be changed to 10 hours, echo "600" > / proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established

Ip_conntrack buffer usage

Grep conn / proc/slabinfo

Example ip_conntrack 188069 229570 336 11 1: tunables 54 27 8: slabdata 20870

Related modifications:

Echo "1024 65000" > / proc/sys/net/ipv4/ip_local_port_range

Echo "1200 128512 15 5000 1884 2" > / proc/sys/vm/bdflush

Echo "1" > / proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

Echo "1" > / proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

Echo "1048576" > / proc/sys/net/ipv4/netfilter/ip_conntrack_max

Echo "1" > / proc/sys/net/ipv4/ip_forward

Echo "268435456" > / proc/sys/kernel/shmall

Echo "536870912" > / proc/sys/kernel/shmmax

Echo "600s" > / proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established

Echo "1024" > / proc/sys/net/ipv4/neigh/default/gc_thresh2

Echo "2048" > / proc/sys/net/ipv4/neigh/default/gc_thresh3

Echo "4096" > / proc/sys/net/ipv4/neigh/default/gc_thresh4

Echo "52428800" > / proc/sys/net/ipv4/route/max_size

Echo "1" > / proc/sys/net/ipv4/conf/all/proxy_arp

Echo "1" > / proc/sys/net/ipv4/tcp_window_scaling

These are the solutions to full and lost packets in CentOS ip_conntrack. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.