[Bug 105] New: Connection tracking table full, no new connections accepted

bugzilla-daemon@netfilter.org bugzilla-daemon@netfilter.org
Tue, 24 Jun 2003 19:26:53 +0200


           Summary: Connection tracking table full, no new connections
           Product: netfilter/iptables
           Version: linux-2.4.x
          Platform: i386
        OS/Version: Gentoo
            Status: NEW
          Severity: major
          Priority: P2
         Component: connection tracking
        AssignedTo: laforge@netfilter.org
        ReportedBy: sean@yak.net
                CC: netfilter-buglog@lists.netfilter.org

I've had this problem twice now and figured it was serious enough to report. I
am using iptables as a firewall/NAT device, kernel version 2.4.21 (directly from
kernel.org); I also encountered the problem in 2.4.20.

After a period of time, I get the following message in my kernel logs:
"ip_conntrack: table full, dropping packet." This message then repeats -- a lot.
Thereafter, no new connections either to the outside world or directly to the
NAT machine are accepted but existing connections still work. Doing a userspace
flush, zero, and remove followed by my firewall/NAT rules doesn't seem to
restore things, either. Since I built all of the modules directly into the
kernel, I have not tried rmmod/insmod to see if that fixes things.

I know this is a vague description, but I can and will provide any more details
necessary to help track down this bug.

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.