OpenVZ Forum


Home » Mailing lists » Devel » 'nf_conntrack: table full, dropping packet' @ High packet rate openvz kernel despite unlimited connt
'nf_conntrack: table full, dropping packet' @ High packet rate openvz kernel despite unlimited connt [message #48633] Fri, 26 October 2012 11:00
Rick Blundell is currently offline  Rick Blundell
Messages: 1
Registered: October 2012
Junior Member
From: *parallels.com
Hi, I have a high openvz performance node with ~20k/s packet rate . I
see this error almost constantly in kernel log and syslog:

nf_conntrack: table full, dropping packet

I have increased nf_conntrack_max values, by current usage i always well
below the limit (9999999)

# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 95020

I checked the source code:

if (nf_conntrack_max && unlikely(atomic_read(&net->ct.count) >
nf_conntrack_max)) { unsigned int hash = hash_conntrack(orig); if
(!early_drop(net, hash)) { atomic_dec(&net->ct.count); if
(net_ratelimit()) printk(KERN_WARNING "nf_conntrack: table full,
dropping" " packet.\n"); return ERR_PTR(-ENOMEM); } }

I then set to nf_conntrack_max to 0 and I still get the dropped packets,
which is expected given the first line of the code above.

I have not seen this on other Linux Kernels, although I have not tested
this exact case on non openvz kernel (the vms are doing the traffic). Do
you think this could be openvz specific? Should I boot this to kernel
list? Below is info demonstrating my issue.

Thank you
Rick


#dmesg -c
# find /proc -name nf_conntrack_max
/proc/sys/net/netfilter/nf_conntrack_max
/proc/sys/net/nf_conntrack_max
cat /proc/sys/net/nf_conntrack_max
0
cat /proc/sys/net/netfilter/nf_conntrack_max
0
dmesg ; sleep 60
dmesg | tail -5
[248438.700906] nf_conntrack: table full, dropping packet.
[248438.833028] nf_conntrack: table full, dropping packet.
[248438.833289] nf_conntrack: table full, dropping packet.
[248438.840900] nf_conntrack: table full, dropping packet.
[248438.857631] nf_conntrack: table full, dropping packet.
[248438.991957] nf_conntrack: table full, dropping packet.

[root@enterprise linux-2.6.32]# uname -a
Linux 2.6.32-042stab062.2 #1 SMP Wed Oct 10 18:28:35 MSK 2012 x86_64
x86_64 x86_64 GNU/Linux
[root@enterprise linux-2.6.32]#
Previous Topic: [PATCH v2 00/11] fuse: optimize scatter-gather direct IO
Next Topic: [PATCH 2/5] ipc: remove redundant MSG_COPY check
Goto Forum:
  


Current Time: Wed Jul 26 16:30:21 GMT 2017