[pve-devel] nf_conntrack: table full, dropping packet error
Alexandre DERUMIER
aderumier at odiso.com
Tue Oct 11 09:25:29 CEST 2011
but I don't use iptables and i don't why nf_conntrack is loaded with 2.6.32-6-pve ....
kernel option is CONFIG_BRIDGE_NETFILTER
2.6.32-6-pve
--------------
kvmtest:/boot# lsmod|grep nf_con
nf_conntrack_ipv4 9880 2 nf_nat
nf_conntrack 80854 3 vzrst,nf_nat,nf_conntrack_ipv4
nf_defrag_ipv4 1465 1 nf_conntrack_ipv4
cat config-2.6.32-6-pve |grep CONFIG_BRIDGE_NETFILTER
CONFIG_BRIDGE_NETFILTER=y
kvmtest:/boot# cat config-2.6.32-5-amd64 |grep NF_CON
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_CONNTRACK_SANE=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CONNTRACK_TFTP=m
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
CONFIG_NF_CONNTRACK_IPV6=m
2.6.32-4-pve
--------------
kvm5:/boot# lsmod|grep nf_con
...no module loaded
kvm5:/boot# cat config-2.6.32-4-pve |grep CONFIG_BRIDGE_NETFILTER
CONFIG_BRIDGE_NETFILTER=y
kvm5:/boot# cat config-2.6.32-4-pve |grep NF_CON
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_CONNTRACK_SANE=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CONNTRACK_TFTP=m
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
CONFIG_NF_CONNTRACK_IPV6=m
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>, pve-devel at pve.proxmox.com
Envoyé: Mardi 11 Octobre 2011 06:33:00
Objet: RE: [pve-devel] nf_conntrack: table full, dropping packet error
Or you increase the number of connections:
net.netfilter.nf_conntrack_max=131072
That seems to be related to the iptables setup you use.
From: pve-devel-bounces at pve.proxmox.com [mailto:pve-devel-bounces at pve.proxmox.com] On Behalf Of Alexandre DERUMIER
Sent: Montag, 10. Oktober 2011 12:40
To: pve-devel at pve.proxmox.com
Subject: Re: [pve-devel] nf_conntrack: table full, dropping packet error
ok, i found the problem
https://bugzilla.redhat.com/show_bug.cgi?id=512206
so add
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
to /etc/sysctl.conf
correct the problem.
I don't know if it's related to redhat kernel, but i didn't have see this problem before.
Maybe it can be add by default to proxmox installer?
----- Mail original -----
De: "Alexandre DERUMIER" < aderumier at odiso.com >
À: pve-devel at pve.proxmox.com
Envoyé: Lundi 10 Octobre 2011 12:27:34
Objet: Re: [pve-devel] nf_conntrack: table full, dropping packet error
also
cat /proc/net/nf_conntrack
give me a lot of guest vm connections references...
...
ipv4 2 tcp 6 87 TIME_WAIT src=217.109.92.1 dst=10.1.31.220 sport=19132 dport=80 src=10.1.31.220 dst=217.109.92.1 sport=80 dport=19132 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 430860 ESTABLISHED src=82.124.207.13 dst=10.1.31.220 sport=62775 dport=80 src=10.1.31.220 dst=82.124.207.13 sport=80 dport=62775 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 117 TIME_WAIT src=10.1.31.25 dst=10.1.33.145 sport=11396 dport=30 src=10.1.33.145 dst=10.1.31.25 sport=30 dport=11396 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 25 TIME_WAIT src=86.73.246.208 dst=10.1.31.220 sport=51544 dport=80 src=10.1.31.220 dst=86.73.246.208 sport=80 dport=51544 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 7 TIME_WAIT src=10.1.31.180 dst=10.2.61.26 sport=46716 dport=3306 src=10.2.61.26 dst=10.1.31.180 sport=3306 dport=46716 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 2 TIME_WAIT src=41.224.178.3 dst=10.1.31.220 sport=51070 dport=80 src=10.1.31.220 dst=41.224.178.3 sport=80 dport=51070 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 89 TIME_WAIT src=194.167.196.49 dst=10.1.31.220 sport=4416 dport=80 src=10.1.31.220 dst=194.167.196.49 sport=80 dport=4416 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 5 CLOSE src=115.126.169.77 dst=10.1.31.220 sport=53069 dport=80 src=10.1.31.220 dst=115.126.169.77 sport=80 dport=53069 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 97 TIME_WAIT src=10.1.31.180 dst=10.2.61.26 sport=63674 dport=11211 src=10.2.61.26 dst=10.1.31.180 sport=11211 dport=63674 [ASSURED] mark=0 secmark=0 u^C
...
Can I safetly disable conntrack module on host ?
----- Mail original -----
De: "Alexandre DERUMIER" < aderumier at odiso.com >
À: pve-devel at pve.proxmox.com
Envoyé: Lundi 10 Octobre 2011 12:23:35
Objet: Re: [pve-devel] nf_conntrack: table full, dropping packet error
forget to say : proxmox 1.9
----- Mail original -----
De: "Alexandre DERUMIER" < aderumier at odiso.com >
À: pve-devel at pve.proxmox.com
Envoyé: Lundi 10 Octobre 2011 12:21:02
Objet: [pve-devel] nf_conntrack: table full, dropping packet error
Hi,
This morning I see a lot of nf_conntrack error in /var/log/messages.
Is it related to redhat kernel ?
How can I disabled it ?
kvm2:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
kvm2:~# cat /var/log/messages
Oct 10 11:55:23 kvm2 kernel: __ratelimit: 285 callbacks suppressed
Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:28 kvm2 kernel: __ratelimit: 107 callbacks suppressed
Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:35 kvm2 kernel: __ratelimit: 328 callbacks suppressed
Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:44 kvm2 kernel: __ratelimit: 83 callbacks suppressed
Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:51 kvm2 kernel: __ratelimit: 69 callbacks suppressed
Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:56:18 kvm2 kernel: __ratelimit: 190 callbacks suppressed
Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
--
Alexandre Derumier
Ingénieur système
e-mail : aderumier at odiso.com
Tél : +33 (0)3 20 68 88 90
Fax : +33 (0)3 20 68 90 81
45 Bvd du Général Leclerc
59100 ROUBAIX - FRANCE
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
--
Alexandre Derumier
Ingénieur système
e-mail : aderumier at odiso.com
Tél : +33 (0)3 20 68 88 90
Fax : +33 (0)3 20 68 90 81
45 Bvd du Général Leclerc
59100 ROUBAIX - FRANCE
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
--
Alexandre Derumier
Ingénieur système
e-mail : aderumier at odiso.com
Tél : +33 (0)3 20 68 88 90
Fax : +33 (0)3 20 68 90 81
45 Bvd du Général Leclerc
59100 ROUBAIX - FRANCE
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
--
Alexandre Derumier
Ingénieur système
e-mail : aderumier at odiso.com
Tél : +33 (0)3 20 68 88 90
Fax : +33 (0)3 20 68 90 81
45 Bvd du Général Leclerc
59100 ROUBAIX - FRANCE
--
--
Alexandre Derumier
Ingénieur système
e-mail : aderumier at odiso.com
Tél : +33 (0)3 20 68 88 90
Fax : +33 (0)3 20 68 90 81
45 Bvd du Général Leclerc
59100 ROUBAIX - FRANCE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aderumier.vcf
Type: text/x-vcard
Size: 183 bytes
Desc: not available
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20111011/15f02e2e/attachment.vcf>
More information about the pve-devel
mailing list