OpenWrt Forum Archive

Topic: what is the meaning nf_conntrack: table full, dropping packet.

The content of this topic has been archived on 23 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
cireddy
3 Nov 2008, 11:09

I am running Kamikaze 7.09 on La Fonerra device and i am seeing these messages

root@OpenWrt:/$ printk: 6 messages suppressed.
nf_conntrack: table full, dropping packet.
nf_conntrack: table full, dropping packet.
nf_conntrack: table full, dropping packet.
nf_conntrack: table full, dropping packet.
nf_conntrack: table full, dropping packet.
nf_conntrack: table full, dropping packet.
nf_conntrack: table full, dropping packet.
nf_conntrack: table full, dropping packet.
nf_conntrack: table full, dropping packet.
nf_conntrack: table full, dropping packet.
printk: 1 messages suppressed.
nf_conntrack: table full, dropping packet.
printk: 10 messages suppressed.


1. Waht are these messages

2. Is this indication of any problem with the device


With Regards,
Reddy

Post #2
Marek
4 Nov 2008, 19:36

Your nat table is saturated - your net devices behind your La Fonera try to use more connections than it can handle with default settings.
You can increase table size by adding line in /etc/sysctl.conf:

net.ipv4.netfilter.ip_conntrack_max=<size>  ex. 16384

I suggest you to decrease timeouts of not closed but already not used connections.
If you're not into it replace your /etc/sysctl.conf with:

kernel.panic=3
net.ipv4.netfilter.ip_conntrack_max=16384
net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.tcp_ecn=1
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=120
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=0
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=300
net.ipv4.netfilter.ip_conntrack_udp_timeout=60
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180
# net.ipv6.conf.all.forwarding=1

(Last edited by Marek on 4 Nov 2008, 22:04)

Post #3
acoul
4 Nov 2008, 21:04

this option should be disabled on busy systems especially on embedded devices that have limited resources.

(Last edited by acoul on 4 Nov 2008, 21:04)

Post #4
Marek
4 Nov 2008, 22:03

acoul,

thsi option net.ipv4.netfilter.ip_conntrack_max=<size> ?

I always use it on my WRT54GS and ASUS WL-500gP with success. Both of theme got 32M RAM so I'm not 100% sure of it will work right with Fonera (16MB??).

The discussion might have continued from here.