Shulou(Shulou.com)06/01 Report--

This article shows you how to solve the problems of table full and dropping packet in nf_conntrack. The content is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Introduction: nf_conntrack works on layer 3 and supports IPv4 and IPv6, while ip_conntrack only supports IPv4. At present, most ip_conntrack_* has been replaced by nf_conntrack_*, many ip_conntrack_* is just an alias, the original ip_conntrack / proc/sys/net/ipv4/netfilter/ still exists, but the new nf_conntrack in / proc/sys/net/netfilter/, this should be a backward compatibility:

The code is as follows:

$pwd

/ proc/sys/net/ipv4/netfilter

$ls

Ip_conntrack_buckets ip_conntrack_tcp_loose ip_conntrack_tcp_timeout_syn_recv

Ip_conntrack_checksum ip_conntrack_tcp_max_retrans ip_conntrack_tcp_timeout_syn_sent

Ip_conntrack_count ip_conntrack_tcp_timeout_close ip_conntrack_tcp_timeout_syn_sent2

Ip_conntrack_generic_timeout ip_conntrack_tcp_timeout_close_wait ip_conntrack_tcp_timeout_time_wait

Ip_conntrack_icmp_timeout ip_conntrack_tcp_timeout_established ip_conntrack_udp_timeout

Ip_conntrack_log_invalid ip_conntrack_tcp_timeout_fin_wait ip_conntrack_udp_timeout_stream

Ip_conntrack_max ip_conntrack_tcp_timeout_last_ack

Ip_conntrack_tcp_be_liberal ip_conntrack_tcp_timeout_max_retrans

$pwd

/ proc/sys/net/netfilter

$ls

Nf_conntrack_acct nf_conntrack_tcp_timeout_close

Nf_conntrack_buckets nf_conntrack_tcp_timeout_close_wait

Nf_conntrack_checksum nf_conntrack_tcp_timeout_established

Nf_conntrack_count nf_conntrack_tcp_timeout_fin_wait

Nf_conntrack_events nf_conntrack_tcp_timeout_last_ack

Nf_conntrack_events_retry_timeout nf_conntrack_tcp_timeout_max_retrans

Nf_conntrack_expect_max nf_conntrack_tcp_timeout_syn_recv

Nf_conntrack_generic_timeout nf_conntrack_tcp_timeout_syn_sent

Nf_conntrack_icmp_timeout nf_conntrack_tcp_timeout_time_wait

Nf_conntrack_log_invalid nf_conntrack_tcp_timeout_unacknowledged

Nf_conntrack_max nf_conntrack_udp_timeout

Nf_conntrack_tcp_be_liberal nf_conntrack_udp_timeout_stream

Nf_conntrack_tcp_loose nf_log/

Conntrack_tcp_max_retrans

View the current number of connections:

The code is as follows:

# grep ip_conntrack / proc/slabinfo

Ip_conntrack 38358 64324 304 13 1: tunables 54 27 8: slabdata 4948 4948 216

Find out the current ip_conntrack rankings:

The code is as follows:

$cat / proc/net/ip_conntrack | cut-d''- f 10 | cut-d'='- f 2 | sort | uniq-c | sort-nr | head-n 10

Nf_conntrack/ip_conntrack is related to nat and is used to track connection entries. It uses a hash table to record the records of the established. Nf_conntrack was introduced on 2.6.15, and ip_conntrack was removed on 2.6.22. If the hash table is full, it will appear:

The code is as follows:

Nf_conntrack: table full, dropping packet

There are several ways to solve this problem.

1. Do not use nf_conntrack module

The first step is to remove the state module because you need to load nf_conntrack to use it. Make sure that there are no rules similar to the state module in the iptables rules, and remove them if any:

-An INPUT-m state-state RELATED,ESTABLISHED-j ACCEPT

Note / etc/sysconfig/iptables-config:

The code is as follows:

IPTABLES_MODULES= "ip_conntrack_netbios_ns"

Remove the nf_conntrack module:

The code is as follows:

$sudo modprobe-r xt_NOTRACK nf_conntrack_netbios_ns nf_conntrack_ipv4 xt_state

$sudo modprobe-r nf_conntrack

There should be no nf_conntrack under / proc/net/ now.

two。 Adjust the parameters under / proc/

You can increase the conntrack entry (sessions, connection tracking entries) CONNTRACK_MAX or increase the size of the conntrack entry hash table HASHSIZE

By default, CONNTRACK_MAX and HASHSIZE calculate a reasonable value based on the system memory size:

For CONNTRACK_MAX, its calculation formula is:

CONNTRACK_MAX = RAMSIZE (in bytes) / 16384 / (ARCH / 32)

For example, a 64-bit 48G machine can handle 48 * 1024 ^ 3 / 16384 netfilter connections at the same time. For systems with more than 1 GB of memory, the default CONNTRACK_MAX is 65535.

For HASHSIZE, there is such a transformation relationship by default:

CONNTRACK_MAX = HASHSIZE * 8

This means that there are an average of 8 conntrack entries in each link list. The real calculation formula is as follows:

HASHSIZE = CONNTRACK_MAX / 8 = RAMSIZE (in bytes) / 131072 / (ARCH / 32)

For example, a 64-bit 48G machine can store 48 * 1024 ^ 3 / 131072 buckets (connection list) of 2 = 196608. For systems with more than 1 GB of memory, the default HASHSIZE is 8192.

You can modify the current system CONNTRACK_MAX and HASHSIZE values directly through echo:

The code is as follows:

$sudo su-c "echo 100000 > / proc/sys/net/netfilter/nf_conntrack_max"

$sudo su-c "echo 50000 > / proc/sys/net/netfilter/nf_conntrack_buckets"

You can also shorten the value of timeout:

The code is as follows:

$sudo su-c "echo 600 > / proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established"

3. Use raw tables and do not track connections

The raw table in iptables is related to package tracking, which is basically used to do something to mark packets that do not need to be tracked through NOTRACK, that is, if a connection encounters-j NOTRACK,conntrack, it will not track the connection. Raw has a higher priority than mangle, nat, filter, including PREROUTING and OUTPUT chains.

When you execute-t raw, the system automatically loads the iptable_raw module (which is required). Raw does not exist in the 2.4 and 2.6 kernels, and current systems should support it unless you hit patch:

$sudo iptables-A FORWARD-m state-- state UNTRACKED-j ACCEPT

$sudo iptables-t raw-A PREROUTING-p tcp-m multiport-- dport 80, 81 NOTRACK 82-j NOTRACK

$sudo iptables-t raw-An OUTPUT-p tcp-m multiport-- sport 80, 81 NOTRACK 82-j NOTRACK

Of the above three ways, the most effective are 1 and 3, and the second is a temporary cure rather than a permanent cure.

The above content is how to solve the problem of table full and dropping packet in nf_conntrack. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.