nf_conntrack: table full, dropping packet
On a CentOS server, i get following error in /var/log/messages
Jan 17 03:40:02 ss1 kernel: nf_conntrack: table full, dropping packet
Jan 17 03:40:03 ss1 kernel: nf_conntrack: table full, dropping packet
Jan 17 03:40:03 ss1 kernel: nf_conntrack: table full, dropping packet
Jan 17 03:40:03 ss1 kernel: nf_conntrack: table full, dropping packet
Jan 17 03:40:03 ss1 kernel: nf_conntrack: table full, dropping packet
Jan 17 03:40:03 ss1 kernel: nf_conntrack: table full, dropping packet
This is because the server is getting too much connections. This can be due to a busy server or DDoS attack.
if you traffic is legit, you can increase maximum connection tracking.
To see current value, run
1 |
cat /proc/sys/net/netfilter/nf_conntrack_max |
To set value, run
1 |
echo 64000 > /proc/sys/net/netfilter/nf_conntrack_max |
Change 64000 with your desired value.
You can also use sysctl, for example
1 |
sysctl -a | grep nf_conntrack_max |
To set value, run
1 |
sysctl -w net.netfilter.nf_conntrack_max=120000 |
To make it permanent, edit
1 |
vi /etc/sysctl.conf |
Add
1 |
net.netfilter.nf_conntrack_max=120000 |
Now run
1 |
sysctl -p |
See sysctl