Re: nf_conntrack: table full, dropping packet.

Thu, 03 Sep 2009 11:15:12 -0700 

# lsmod
Module                  Size  Used by
xen_netfront           19808  0
pcspkr                  2848  0
xen_blkfront           12404  2

# cat /proc/net/nf_conntrack | wc -l
50916

# service iptables stop
(it was never started)

# cat /proc/net/nf_conntrack | wc -l
65358

This is Fedora, sorry, not CentOS.

the only other thing running is keepalived to manage the ip address for haproxy.

On 9/3/09 10:16 AM, John Lauro wrote:

service iptables stop
should take care of it in Centos.


Although your lsmod doesn't make sense.  It should be showing ip_conntrack
and ip_tables and iptable_filter with a standard Centos and iptables.  Even
dm_multipath and others that you are not interested in would be expected...




-----Original Message-----
From: Hank A. Paulson [mailto:[email protected]]
Sent: Thursday, September 03, 2009 1:02 PM
To: HAproxy Mailing Lists
Subject: nf_conntrack: table full, dropping packet.

Does anyone know how to get rid of/turn off/kill/remove/exorcise
netfilter
and/or conntrack?
I don't use iptables and it seems to cause a lot of overhead.

Does it require a custom compiled kernel?
I am using CentOS and Fedora standard precompiled kernels right now.

Thank you for any help in this frustrating matter.

# lsmod | grep -i ip
ipv6                  290320  20

sysctl -a | grep -i netfilter
net.netfilter.nf_conntrack_generic_timeout = 12
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 12
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 12
net.netfilter.nf_conntrack_tcp_timeout_established = 2000
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 12
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 12
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 12
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10
net.netfilter.nf_conntrack_tcp_timeout_close = 8
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 30
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 30
net.netfilter.nf_conntrack_tcp_loose = 1
net.netfilter.nf_conntrack_tcp_be_liberal = 0
net.netfilter.nf_conntrack_tcp_max_retrans = 3
net.netfilter.nf_conntrack_udp_timeout = 12
net.netfilter.nf_conntrack_udp_timeout_stream = 18
net.netfilter.nf_conntrack_icmp_timeout = 8
net.netfilter.nf_conntrack_acct = 1
net.netfilter.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_count = 7645
net.netfilter.nf_conntrack_buckets = 16384
net.netfilter.nf_conntrack_checksum = 1
net.netfilter.nf_conntrack_log_invalid = 0
net.netfilter.nf_conntrack_expect_max = 256



No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.409 / Virus Database: 270.13.73/2338 - Release Date:
09/03/09 05:50:00

Reply via email to