[Bug 105] Connection tracking table full, no new connections accepted
bugzilla-daemon@netfilter.org
bugzilla-daemon@netfilter.org
Thu, 28 Aug 2003 08:41:58 +0200
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=105
brian-netfilter@admin.softhome.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |brian-
| |netfilter@admin.softhome.net
Status|RESOLVED |REOPENED
OS/Version|Gentoo |Debian GNU/Linux
Resolution|LATER |
------- Additional Comments From brian-netfilter@admin.softhome.net 2003-08-28 08:41 -------
I'm seeing this too. The bulk of entries in /proc/net/ip_conntrack are in the
[ASSURED] state, dst or src the same IP address (all port 25). In this case 86%
of the entries on this host are 20139 src and 20139 dst for that host:25.
The affected host does bare minimum filtering (but a lot of counters in the
mangle table), and sits in front of another firewall that does use a heavy
iptables-based firewall. It's /proc/net/ip_conntrack is an order of magnitude
smaller.
The host with the overflowing conntrack table is running vanilla 2.4.21 plus
sangoma modules from their wanpipe-2.3.0. The host with the small conntrack
table is running 2.4.19-ac4.
I've increased ip_conntrack_max to deal with it. What data would you like?
I did see the similar effect with [UNREPLIED] in 2.4.20 (or was that 2.4.19?),
which prompted the upgrade to 2.4.21.
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.