ip_conntrack: table full, dropping packet.
nf_conntrack: table full, dropping packet.
ip_conntrack or nf_conntrack iptables modules./var/log/messages on the compute nodes when one of the instances drops packetsI see a lot of these messages in /var/log/messages of my Linux server
kernel: nf_conntrack: table full, dropping packet.
kernel: __ratelimit: 15812 callbacks suppresse
while my server is under DoS attack but the memory is not still saturated. I am wondering what is the significance of the message and how to counter possible security implications.
The message means your connection tracking table is full. There are no security implications other than DoS. You can partially mitigate this by increasing the maximum number of connections being tracked, reducing the tracking timeouts or by disabling connection tracking altogether, which is doable on server, but not on a NAT router, because the latter will cease to function.
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000
sysctl -w net.netfilter.nf_conntrack_generic_timeout=120
sysctl -w net.ipv4.netfilter.ip_conntrack_max=<more than currently set>
ip_conntrack or nf_conntrack : table full, dropping packet
原文:https://www.cnblogs.com/xuanbjut/p/13992249.html
sysctl --names --all | grep -i conntrack. Remember to edit/etc/sysctl.conf