I've see the following in my logs every so often:
kernel: ip_conntrack: table full, dropping packet.
Currently, I have ip_conntrack_max set to 65536 (default, RHEL5).
Keeping memory usage in mind, how much can I safely increase this value? I've got 4GB ram on this box. One of the functions this machine serves is as a static content server, which probably explains the high connections counts, and also means I'd like to keep as much of the OS memory used for caching as possible.
Also, what's the difference between the following two?
/proc/sys/net/ipv4/netfilter/ip_conntrack_max
/proc/sys/net/ipv4/ip_conntrack_max
Which should I be editing?
Thanks!
Best Answer
First, ask yourself a question: does your setup require connection tracking? If it is just a server and firewalling/NAT is done somewhere else, then you can probably disable conntrack all together.
Second, check if your conntrack entries make sense. Sometimes conntrack tables are filled with rubbish because of some network or firewall mis-configuration. Usually those are entries for connections which were never fully established. That may happen e.g. when the server gets incoming connection SYN packets, but the server replies are always lost somewhere on the network.
The only machines I had a 'ip_conntrack: table full' messages and which needed ip_conntrack_max increase (instead of fixing configuration), where routers doing NAT for quite big networks (thousands of endpoints).
If you know you need conntrack and it really needs to be bigger than it is, the increase the number until you get no more 'table full' messages. And watch the memory usage.
Some statistics about memory allocation for conntrack objects can be found in the /proc/slabinfo file.