kernel: ip_conntrack: table full, dropping packet.
Jacek Konieczny
jajcus@bnet.pl
Fri, 26 Oct 2001 08:16:03 +0200
On Fri, Oct 26, 2001 at 02:06:24AM +0200, Torsten Stern wrote:
> I set /proc/sys/net/ipv4/ip_conntrack_max to 16376 but it doesn't work
> for a long time - same errors.
> So does someone know how to fix this!?
Probably your /proc/net/ip_conntrack contain a lot of
conection info, which should not be there at all, or should already
expired.
You should find the reason why so much entries are there.
I had similar problem, when my conntrack enabled router was sending
icmp-redirects to connected networks. The router "saw" first packets
of TCP connections and noted them in ip_conntrack table, but it didn't
see the rest (including the end) of connections, as it was redirected to
other router.
The fix was quite easy:
iptables -t prestate -A PREROUTING -j NOTRACT ....
Where "..." is the rule for the packed which should not be tracked.
Greets,
Jacek