全部博文(106)
分类: LINUX
2012-03-13 05:26:05
First verify that the table is full by checking how many connections are currently being tracked:
[root@localhost ~]# cat /proc/sys/net/ipv4/netfilter/ipconntrackcountThen compare to the maximum the system is set to handle in the ipconntrackmax entry:
[root@localhost ~]# cat /proc/sys/net/ipv4/netfilter/ipconntrackmax 8192The ipconntrackmax setting must be increased to resolve the problem.
To change the default value of ip_conntrack_max, modify /etc/sysctl.conf file and add the following entry:
net.ipv4.netfilter.ipconntrackmax =Then execute the following command to make the change take effect without reboot.
# sysctl -pThis value can also be dynamically changed by setting up a new value to /sys/module/ip_conntrack/parameters/hashsize
The ip_conntrack module uses a portion of the system memory to track connections called a connection tracking table. The size of this table is set when the ip_conntrack module is loaded, and is usually determined automatically by a hash of the installed system RAM. For example, a system with 256MB RAM will typically have a conntrack table of 8192 entries by default.
The maximum number of connections that can maintained is 8*hashsize of the connection tracking module and each connection tracking requires approximately 300bytes
To check the maximum conntrack entries available, look at the proc file system:
[root@localhost ~]# cat /proc/sys/net/ipv4/ipconntrackmaxIf the message in the system's logs is ip_conntrack: table full, dropping packet. it means that the table is full, and packets that are traversing the system's firewall are being dropped.
