Anyone know how to make the iptables connection tracking table allocation larger?

Anyone know how to make the iptables connection tracking table allocation larger?

Post by D. Stuss » Mon, 19 May 2008 09:17:44



I ask because I'm seeing this in my logs:

May 17 03:25:06 (none) kernel: nf_conntrack: table full, dropping packet.
May 17 03:25:08 (none) last message repeated 9 times
May 17 03:25:47 (none) last message repeated 8 times
May 17 03:26:29 (none) kernel: printk: 12 messages suppressed.
May 17 03:26:29 (none) kernel: nf_conntrack: table full, dropping packet.
May 17 03:26:29 (none) last message repeated 7 times
May 17 03:27:09 (none) kernel: printk: 1 messages suppressed.
May 17 03:27:09 (none) kernel: nf_conntrack: table full, dropping packet.
...

Is there some setting in /proc/sys that I can change?  If it's a static
value and I have to recompile the kernel, please point me to which file
needs changing....

 
 
 

Anyone know how to make the iptables connection tracking table allocation larger?

Post by Larry Finge » Mon, 19 May 2008 10:06:06



> I ask because I'm seeing this in my logs:

> May 17 03:25:06 (none) kernel: nf_conntrack: table full, dropping packet.
> May 17 03:25:08 (none) last message repeated 9 times
> May 17 03:25:47 (none) last message repeated 8 times
> May 17 03:26:29 (none) kernel: printk: 12 messages suppressed.
> May 17 03:26:29 (none) kernel: nf_conntrack: table full, dropping packet.
> May 17 03:26:29 (none) last message repeated 7 times
> May 17 03:27:09 (none) kernel: printk: 1 messages suppressed.
> May 17 03:27:09 (none) kernel: nf_conntrack: table full, dropping packet.
> ...

> Is there some setting in /proc/sys that I can change?  If it's a static
> value and I have to recompile the kernel, please point me to which file
> needs changing....

A little googling seems to indicate that /proc/sys/net/ipv4/ip_conntrack_max
contains the information. To change it to 8192 then

echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max

Larry

 
 
 

Anyone know how to make the iptables connection tracking table allocation larger?

Post by David Schwart » Mon, 19 May 2008 13:11:50



Quote:> I ask because I'm seeing this in my logs:

> May 17 03:25:06 (none) kernel: nf_conntrack: table full, dropping packet.
> May 17 03:25:08 (none) last message repeated 9 times
> May 17 03:25:47 (none) last message repeated 8 times
> May 17 03:26:29 (none) kernel: printk: 12 messages suppressed.
> May 17 03:26:29 (none) kernel: nf_conntrack: table full, dropping packet.
> May 17 03:26:29 (none) last message repeated 7 times
> May 17 03:27:09 (none) kernel: printk: 1 messages suppressed.
> May 17 03:27:09 (none) kernel: nf_conntrack: table full, dropping packet.
> ...

> Is there some setting in /proc/sys that I can change? ?If it's a static
> value and I have to recompile the kernel, please point me to which file
> needs changing....

This drove me nuts, as it allows a very simple denial-of-service
attack, even if you raise the number. I eventually wrote a patch to
cause the system to *pass* a packet when the table is full rather than
drop it. Obviously, you don't want to do this if you use connection
tracking for security reasons rather than rate shaping or accounting
reasons.

DS

 
 
 

Anyone know how to make the iptables connection tracking table allocation larger?

Post by Gran » Mon, 19 May 2008 13:39:22




>> I ask because I'm seeing this in my logs:

>> May 17 03:25:06 (none) kernel: nf_conntrack: table full, dropping packet.
>> May 17 03:25:08 (none) last message repeated 9 times
>> May 17 03:25:47 (none) last message repeated 8 times
>> May 17 03:26:29 (none) kernel: printk: 12 messages suppressed.
>> May 17 03:26:29 (none) kernel: nf_conntrack: table full, dropping packet.
>> May 17 03:26:29 (none) last message repeated 7 times
>> May 17 03:27:09 (none) kernel: printk: 1 messages suppressed.
>> May 17 03:27:09 (none) kernel: nf_conntrack: table full, dropping packet.
>> ...

>> Is there some setting in /proc/sys that I can change?  If it's a static
>> value and I have to recompile the kernel, please point me to which file
>> needs changing....

>A little googling seems to indicate that /proc/sys/net/ipv4/ip_conntrack_max
>contains the information. To change it to 8192 then

>echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max

Um, you seem to be out of date?  I have default value:

~$ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
16384

with:
~$ uname -r
2.6.24.7a

Grant.
--
http://bugsplatter.mine.nu/

 
 
 

Anyone know how to make the iptables connection tracking table allocation larger?

Post by Larry Finge » Tue, 20 May 2008 00:17:37





>>> I ask because I'm seeing this in my logs:

>>> May 17 03:25:06 (none) kernel: nf_conntrack: table full, dropping packet.
>>> May 17 03:25:08 (none) last message repeated 9 times
>>> May 17 03:25:47 (none) last message repeated 8 times
>>> May 17 03:26:29 (none) kernel: printk: 12 messages suppressed.
>>> May 17 03:26:29 (none) kernel: nf_conntrack: table full, dropping packet.
>>> May 17 03:26:29 (none) last message repeated 7 times
>>> May 17 03:27:09 (none) kernel: printk: 1 messages suppressed.
>>> May 17 03:27:09 (none) kernel: nf_conntrack: table full, dropping packet.
>>> ...

>>> Is there some setting in /proc/sys that I can change?  If it's a static
>>> value and I have to recompile the kernel, please point me to which file
>>> needs changing....

>> A little googling seems to indicate that /proc/sys/net/ipv4/ip_conntrack_max
>> contains the information. To change it to 8192 then

>> echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max

> Um, you seem to be out of date?  I have default value:

> ~$ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
> 16384

> with:
> ~$ uname -r
> 2.6.24.7a

It is memory dependent and set dynamically at boot time. I just gave an
example. BTW, the documentation says that there will be ~350 byles of
non-paged kernel memory for each allowed connection.

Larry

 
 
 

Anyone know how to make the iptables connection tracking table allocation larger?

Post by D. Stuss » Tue, 20 May 2008 04:51:01






> >> I ask because I'm seeing this in my logs:

> >> May 17 03:25:06 (none) kernel: nf_conntrack: table full, dropping
packet.
> >> May 17 03:25:08 (none) last message repeated 9 times
> >> May 17 03:25:47 (none) last message repeated 8 times
> >> May 17 03:26:29 (none) kernel: printk: 12 messages suppressed.
> >> May 17 03:26:29 (none) kernel: nf_conntrack: table full, dropping
packet.
> >> May 17 03:26:29 (none) last message repeated 7 times
> >> May 17 03:27:09 (none) kernel: printk: 1 messages suppressed.
> >> May 17 03:27:09 (none) kernel: nf_conntrack: table full, dropping
packet.
> >> ...

> >> Is there some setting in /proc/sys that I can change?  If it's a static
> >> value and I have to recompile the kernel, please point me to which file
> >> needs changing....

> >A little googling seems to indicate that

/proc/sys/net/ipv4/ip_conntrack_max

Quote:> >contains the information. To change it to 8192 then

> >echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max

> Um, you seem to be out of date?  I have default value:

> ~$ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
> 16384

> with:
> ~$ uname -r
> 2.6.24.7a

Thank you.  Now that I know where to look, I checked and saw this:

$ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
65536

Do I already have a maximal value?  I guess not, because I was able to set
it to 131072 successfully.  However, if internally, a short integer (16
bits) is used, then that won't make a difference.  I'm using kernel version
2.6.25.4 - so maybe the defaults are larger.

 
 
 

Anyone know how to make the iptables connection tracking table allocation larger?

Post by Pascal Hambour » Tue, 20 May 2008 05:42:00


Hello,

D. Stussy a crit :

Quote:

> $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
> 65536

> Do I already have a maximal value?  I guess not, because I was able to set
> it to 131072 successfully.  However, if internally, a short integer (16
> bits) is used, then that won't make a difference.

ip_conntrack_max is an int. 65536 (2^16) would not fit in a short int.
 
 
 

Anyone know how to make the iptables connection tracking table allocation larger?

Post by D. Stuss » Tue, 20 May 2008 14:03:26



Quote:> Hello,

> D. Stussy a crit :

> > $ cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
> > 65536

> > Do I already have a maximal value?  I guess not, because I was able to
set
> > it to 131072 successfully.  However, if internally, a short integer (16
> > bits) is used, then that won't make a difference.

> ip_conntrack_max is an int. 65536 (2^16) would not fit in a short int.

That depends on implementation.  It's quite possible that such means all
values 0-65535 are in use (so it actually prints the top value +1).  This is
a "border value" and therefore suspect.  One could still be using a short
int to do indexing into an associative array.  That also means that although
it allowed me to set a larger value, that value might not be honored over a
pre-compiled limit.
 
 
 

Anyone know how to make the iptables connection tracking table allocation larger?

Post by Larry Finge » Wed, 21 May 2008 00:47:35



> That depends on implementation.  It's quite possible that such means all
> values 0-65535 are in use (so it actually prints the top value +1).  This is
> a "border value" and therefore suspect.  One could still be using a short
> int to do indexing into an associative array.  That also means that although
> it allowed me to set a larger value, that value might not be honored over a
> pre-compiled limit.

In include/net/netfilter/nf_conntrack.h, one finds

extern int nf_conntrack_max

It is a 32-bit integer. As it is signed, you will be limited to roughly 2
billion connections, but I doubt you have that much RAM. ;)

Larry

 
 
 

1. iptables v1.2.2: can't initialize iptables table `filter': Table does not exist

I have the following error when I try to use iptables...
Any idea? Thanks.


Linux gw2 2.4.10 #1 Sun Sep 30 00:09:25 EEST 2001 i586 unknown

Module                  Size  Used by
ip_conntrack           12784   0  (unused)
ip_tables              10752   0  (unused)
8139too                11040   1
dmfe                   12640   1

iptables v1.2.2: can't initialize iptables table `filter': Table does not
exist
(do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

2. PPP/Online with Cwix.com ISP

3. Removing icons from Kpanel

4. Anyone know what is SKB Allocation Failed on Kernel Syslog?

5. Pioneer ATAPI (IDE) CD-ROM Support???

6. Connection tracking with iptables?

7. Computer hangs when booting Linux 2.0 thru' 2.0.11

8. iptables connection tracking and UDP

9. iptables / ftp connection tracking / rmmod

10. Security Flaw in IPTables FTP Connection Tracking

11. Can iptables track connections to different gateways?

12. Bug: iptables rules don't override connection tracking