nf_conntrack: table full, dropping packet
ip_conntrack or nf_conntrack : table full, dropping packet
Issue
- What do the following messages in the system log mean?
ip_conntrack: table full, dropping packet.
nf_conntrack: table full, dropping packet.
- Packet drops on this system for connections using
ip_conntrackornf_conntrackiptables modules. - Messages seen in
/var/log/messageson the compute nodes when one of the instances drops packets
Environment
22
I see a lot of these messages in /var/log/messages of my Linux server
kernel: nf_conntrack: table full, dropping packet.
kernel: __ratelimit: 15812 callbacks suppresse
while my server is under DoS attack but the memory is not still saturated. I am wondering what is the significance of the message and how to counter possible security implications.
add a comment
21
The message means your connection tracking table is full. There are no security implications other than DoS. You can partially mitigate this by increasing the maximum number of connections being tracked, reducing the tracking timeouts or by disabling connection tracking altogether, which is doable on server, but not on a NAT router, because the latter will cease to function.
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000
sysctl -w net.netfilter.nf_conntrack_generic_timeout=120
sysctl -w net.ipv4.netfilter.ip_conntrack_max=<more than currently set>
sysctl --names --all | grep -i conntrack. Remember to edit/etc/sysctl.conf