RE: nf_conntrack: table full, dropping packet.

From: John Lauro <john.lauro#covenanteyes.com>
Date: Thu, 3 Sep 2009 13:16:19 -0400


service iptables stop
should take care of it in Centos.

Although your lsmod doesn't make sense. It should be showing ip_conntrack and ip_tables and iptable_filter with a standard Centos and iptables. Even dm_multipath and others that you are not interested in would be expected...

> -----Original Message-----
> From: Hank A. Paulson [mailto:hap#spamproof.nospammail.net]
> Sent: Thursday, September 03, 2009 1:02 PM
> To: HAproxy Mailing Lists
> Subject: nf_conntrack: table full, dropping packet.
>
> Does anyone know how to get rid of/turn off/kill/remove/exorcise
> netfilter
> and/or conntrack?
> I don't use iptables and it seems to cause a lot of overhead.
>
> Does it require a custom compiled kernel?
> I am using CentOS and Fedora standard precompiled kernels right now.
>
> Thank you for any help in this frustrating matter.
>
> # lsmod | grep -i ip
> ipv6 290320 20
>
> sysctl -a | grep -i netfilter
> net.netfilter.nf_conntrack_generic_timeout = 12
> net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 12
> net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 12
> net.netfilter.nf_conntrack_tcp_timeout_established = 2000
> net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 12
> net.netfilter.nf_conntrack_tcp_timeout_close_wait = 12
> net.netfilter.nf_conntrack_tcp_timeout_last_ack = 12
> net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10
> net.netfilter.nf_conntrack_tcp_timeout_close = 8
> net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 30
> net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 30
> net.netfilter.nf_conntrack_tcp_loose = 1
> net.netfilter.nf_conntrack_tcp_be_liberal = 0
> net.netfilter.nf_conntrack_tcp_max_retrans = 3
> net.netfilter.nf_conntrack_udp_timeout = 12
> net.netfilter.nf_conntrack_udp_timeout_stream = 18
> net.netfilter.nf_conntrack_icmp_timeout = 8
> net.netfilter.nf_conntrack_acct = 1
> net.netfilter.nf_conntrack_max = 1048576
> net.netfilter.nf_conntrack_count = 7645
> net.netfilter.nf_conntrack_buckets = 16384
> net.netfilter.nf_conntrack_checksum = 1
> net.netfilter.nf_conntrack_log_invalid = 0
> net.netfilter.nf_conntrack_expect_max = 256
>
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.5.409 / Virus Database: 270.13.73/2338 - Release Date:
> 09/03/09 05:50:00
Received on 2009/09/03 19:16

This archive was generated by hypermail 2.2.0 : 2009/09/03 19:30 CEST