CentOS ip_ Conntrack: table full, dropping packet solution

Time:2021-10-24

So why IP_ Conntrack: table full, dropping packet? Iptables uses a connection tracking table to describe the connection status. When the table is full, the information will be written in the log. This may be a little difficult to understand, so under what circumstances do we need to find this record in the log?

When you find that the result of Ping server is packet loss, or the delay is unstable, high and low, you should consider IP after excluding the line factor_ conntrack: table full, dropping packet 。

The following describes IP_ Conntrack: table full, dropping packet solution:

Solutions under CentOS 6 / RHEL 5:

1. Operation

Copy code

The code is as follows:

sysctl -w net.ipv4.netfilter.ip_conntrack_max=100000.sysctl -w net.ipv4.netfilter.ip_conntrack_max=100000

2. Add the following to / etc / sysctl:

Copy code

The code is as follows:

net.ipv4.netfilter.ip_conntrack_max = 100000.net.ipv4.netfilter.ip_conntrack_max = 100000

3. Make it effective:

Copy code

The code is as follows:

sysctl -p.sysctl -p

Solutions under CentOS 6 / RHEL 6:

1. Operation

Copy code

The code is as follows:

sysctl -w net.nf_conntrack_max=100000.sysctl -w net.nf_conntrack_max=100000

2. Add the following to / etc / sysctl:

Copy code

The code is as follows:

net.nf_conntrack_max = 100000.net.nf_conntrack_max = 100000

3. Make it effective:

Copy code

The code is as follows:

sysctl -p.sysctl -p

***If the Xen domu has sporadic packet loss or the Ping is high and low, and the Ping is normal after closing iptables, it is mostly this problem.

Or try the following method

One. There are a lot of packet losses in the server. The following errors occur by checking the message:
kernel:ip_conntrack:table full,dropping packet

Solution:

Copy code

The code is as follows:

Displays the current number of sessions:
cat /proc/net/ip_conntrack | wc -l
Displays the maximum number of conntraks currently configured in the system:
cat /proc/sys/net/ipv4/ip_conntrack_max
#Once the number of the former is greater than the latter, the system will report an error. The solution is:
echo “” > /proc/sys/net/ipv4/ip_conntrack_max
#Then write
/etc/sysctl.conf
net.ipv4.ip_conntrack_max =

two
There are two points we should pay attention to

-Maximum number of conntrack. It is called conntrack_ max
-The size of the hash table that stores these conntraks is called hashize
When the number of conntrack entries is greater than conntrack_ Max, the entries stored in each conntrack list in the hash table will not be controllable. (conntrack_mark / hashize is the number of entries that can be stored in each list)
Hash table exists in fixed non swap memory. Conntrack_ Mark decides how much of this non – swap memory to use
Default hashsize
——————————–
conntrack_max=hashsize*8
Hashsize = conntrack in i386_ max/8=ramsize(in bytes)/131072=ramsize(in MegaBytes)*8.
Therefore, a 32-bit PC with 512M memory can store 512 * 1024 ^ 2 / 128 / 1024 = 512 * 8 = 4096 (connection pool list)
But the correct algorithm is:
hashsize=conntrack_max/8=ramsize(in bytes)/131072/(x/32)
X indicates whether the pointer type used is (32-bit or 64 bit)
—————————-\
Read conntrack_ Max value
2.4 kernel
cat /proc/sys/net/ipv4/ip_conntrack_max
2.6 kernel
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max

Read hashsize value
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
——————————
You can modify these two values to adapt to high load Netfilter applications
The system defaults to conntrack_ Max: hashsize is 8:1. You can set it to 1:1 to improve performance
————————-
Set conntrack_ max
echo $CONNTRACK_MAX > /proc/sys/net/ipv4/ip_conntrack_max
Set hashsize
If Netfilter conntrack is statically compiled in the kernel, it can be set at compile time in 2.4, and IP can be added at boot time in 2.6_ conntrack.hashsize=$hashsize
If it is modules, you can use modprobe IP_ conntrack hashsize=$hashsize
#####################################
Methods practiced:
Vi /etc/modprobe.conf
add to:
options ip_conntrack hashsize=524288

vi /etc/sysctl.conf
net.ipv4.netfilter.ip_ conntrack_ Max = 524288 (calculated according to your own physical memory)
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180
##########################################
————————–
Memory calculations used by conntrack
size_of_mem_used_by_conntrack (in bytes) =
CONNTRACK_MAX * sizeof(struct ip_conntrack) +
HASHSIZE * sizeof(struct list_head)
Sizeof (struct ip_conntrack) is about 192-352 bytes
sizeof(struct list_head) = 2 * size_ of_ a_ Pointer (4 bytes in i386)
For an example, 512M memory is used, and 384m is used for conntrack
384 * 1024 * 1024 / (352 + 8) (it is a conservative calculation) = ~ 1143901 (this is conntrack: hashszie is 1:1352 is sizeof (ip_conntrack), 8 is sizeof (list_head)
Since hash is best set to the power of 2, it is 1048576 (2 ^ 20)
———————
Relevant settings and commands are attached:
ip_ Conntrack timeout original value 432000 seconds (5 days)
It can be changed to 10 hours, echo “600 ″ > / proc / sys / net / IPv4 / Netfilter / ip_conntrack_tcp_timeout_established
ip_ Conntrack buffer usage
grep conn /proc/slabinfo
Example IP_ conntrack 188069 229570 336 11 1 : tunables 54 27 8 : slabdata 20870

Relevant modifications:
echo “1024 65000″ > /proc/sys/net/ipv4/ip_local_port_range
echo “100 1200 128 512 15 5000 500 1884 2″>/proc/sys/vm/bdflush
echo “1″ > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo “1″ > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo “1048576″ > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
echo “1″ > /proc/sys/net/ipv4/ip_forward
echo “268435456″ >/proc/sys/kernel/shmall
echo “536870912″ >/proc/sys/kernel/shmmax
echo “600″ > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
echo “1024″ > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo “2048″ > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo “4096″ > /proc/sys/net/ipv4/neigh/default/gc_thresh3
echo “52428800″ > /proc/sys/net/ipv4/route/max_size
echo “1″ > /proc/sys/net/ipv4/conf/all/proxy_arp
echo “1″ > /proc/sys/net/ipv4/tcp_window_scaling