[pve-devel] nf_conntrack: table full, dropping packet error

Dietmar Maurer dietmar at proxmox.com
Tue Oct 11 06:33:00 CEST 2011 

Or you increase the number of connections:

net.netfilter.nf_conntrack_max=131072

That seems to be related to the iptables setup you use.



From: pve-devel-bounces at pve.proxmox.com [mailto:pve-devel-bounces at pve.proxmox.com] On Behalf Of Alexandre DERUMIER
Sent: Montag, 10. Oktober 2011 12:40
To: pve-devel at pve.proxmox.com
Subject: Re: [pve-devel] nf_conntrack: table full, dropping packet error

ok, i found the problem

https://bugzilla.redhat.com/show_bug.cgi?id=512206

so add

net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

to /etc/sysctl.conf

 correct the problem.


I don't know if it's related to redhat kernel, but i didn't have see this problem before.

Maybe it can be add by default to proxmox installer?


________________________________
De: "Alexandre DERUMIER" <aderumier at odiso.com<mailto:aderumier at odiso.com>>
À: pve-devel at pve.proxmox.com<mailto:pve-devel at pve.proxmox.com>
Envoyé: Lundi 10 Octobre 2011 12:27:34
Objet: Re: [pve-devel] nf_conntrack: table full, dropping packet error
also

cat  /proc/net/nf_conntrack

give me a lot of guest vm connections references...

...
ipv4     2 tcp      6 87 TIME_WAIT src=217.109.92.1 dst=10.1.31.220 sport=19132 dport=80 src=10.1.31.220 dst=217.109.92.1 sport=80 dport=19132 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 430860 ESTABLISHED src=82.124.207.13 dst=10.1.31.220 sport=62775 dport=80 src=10.1.31.220 dst=82.124.207.13 sport=80 dport=62775 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 117 TIME_WAIT src=10.1.31.25 dst=10.1.33.145 sport=11396 dport=30 src=10.1.33.145 dst=10.1.31.25 sport=30 dport=11396 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 25 TIME_WAIT src=86.73.246.208 dst=10.1.31.220 sport=51544 dport=80 src=10.1.31.220 dst=86.73.246.208 sport=80 dport=51544 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 7 TIME_WAIT src=10.1.31.180 dst=10.2.61.26 sport=46716 dport=3306 src=10.2.61.26 dst=10.1.31.180 sport=3306 dport=46716 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 2 TIME_WAIT src=41.224.178.3 dst=10.1.31.220 sport=51070 dport=80 src=10.1.31.220 dst=41.224.178.3 sport=80 dport=51070 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 89 TIME_WAIT src=194.167.196.49 dst=10.1.31.220 sport=4416 dport=80 src=10.1.31.220 dst=194.167.196.49 sport=80 dport=4416 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 5 CLOSE src=115.126.169.77 dst=10.1.31.220 sport=53069 dport=80 src=10.1.31.220 dst=115.126.169.77 sport=80 dport=53069 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 tcp      6 97 TIME_WAIT src=10.1.31.180 dst=10.2.61.26 sport=63674 dport=11211 src=10.2.61.26 dst=10.1.31.180 sport=11211 dport=63674 [ASSURED] mark=0 secmark=0 u^C
...

Can I safetly disable conntrack module on host ?


________________________________
De: "Alexandre DERUMIER" <aderumier at odiso.com<mailto:aderumier at odiso.com>>
À: pve-devel at pve.proxmox.com<mailto:pve-devel at pve.proxmox.com>
Envoyé: Lundi 10 Octobre 2011 12:23:35
Objet: Re: [pve-devel] nf_conntrack: table full, dropping packet error
forget to say : proxmox 1.9
________________________________
De: "Alexandre DERUMIER" <aderumier at odiso.com<mailto:aderumier at odiso.com>>
À: pve-devel at pve.proxmox.com<mailto:pve-devel at pve.proxmox.com>
Envoyé: Lundi 10 Octobre 2011 12:21:02
Objet: [pve-devel] nf_conntrack: table full, dropping packet error
Hi,
This morning I see a lot of nf_conntrack error in /var/log/messages.

Is it related to redhat kernel ?
How can I disabled it ?


kvm2:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
kvm2:~#  cat /var/log/messages


Oct 10 11:55:23 kvm2 kernel: __ratelimit: 285 callbacks suppressed
Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:28 kvm2 kernel: __ratelimit: 107 callbacks suppressed
Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:35 kvm2 kernel: __ratelimit: 328 callbacks suppressed
Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:44 kvm2 kernel: __ratelimit: 83 callbacks suppressed
Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:51 kvm2 kernel: __ratelimit: 69 callbacks suppressed
Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:56:18 kvm2 kernel: __ratelimit: 190 callbacks suppressed
Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.


--



[http://www.odiso.com/library/img/signature/logo-odiso-signaturemail.png]

Alexandre Derumier
Ingénieur système
e-mail :  aderumier at odiso.com<mailto:aderumier at odiso.com>
Tél : +33 (0)3 20 68 88 90
Fax : +33 (0)3 20 68 90 81
45 Bvd du Général Leclerc
59100 ROUBAIX - FRANCE










_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com<mailto:pve-devel at pve.proxmox.com>
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel



--



[http://www.odiso.com/library/img/signature/logo-odiso-signaturemail.png]

Alexandre Derumier
Ingénieur système
e-mail :  aderumier at odiso.com<mailto:aderumier at odiso.com>
Tél : +33 (0)3 20 68 88 90
Fax : +33 (0)3 20 68 90 81
45 Bvd du Général Leclerc
59100 ROUBAIX - FRANCE










_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com<mailto:pve-devel at pve.proxmox.com>
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel



--



[http://www.odiso.com/library/img/signature/logo-odiso-signaturemail.png]

Alexandre Derumier
Ingénieur système
e-mail :  aderumier at odiso.com<mailto:aderumier at odiso.com>
Tél : +33 (0)3 20 68 88 90
Fax : +33 (0)3 20 68 90 81
45 Bvd du Général Leclerc
59100 ROUBAIX - FRANCE










_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com<mailto:pve-devel at pve.proxmox.com>
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel



--



[http://www.odiso.com/library/img/signature/logo-odiso-signaturemail.png]

Alexandre Derumier
Ingénieur système
e-mail :  aderumier at odiso.com<mailto:aderumier at odiso.com>
Tél : +33 (0)3 20 68 88 90
Fax : +33 (0)3 20 68 90 81
45 Bvd du Général Leclerc
59100 ROUBAIX - FRANCE









-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20111011/ebbab546/attachment.htm>

More information about the pve-devel mailing list