[Devel] 'nf_conntrack: table full, dropping packet' @ High packet rate openvz kernel despite unlimited conntrack

Rick Blundell rickb at alphabit.com
Fri Oct 26 04:00:38 PDT 2012 

Hi, I have a high openvz performance node with ~20k/s packet rate . I 
see this error almost constantly in kernel log and syslog:

nf_conntrack: table full, dropping packet

I have increased nf_conntrack_max values, by current usage i always well 
below the limit (9999999)

# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 95020

I checked the source code:

if (nf_conntrack_max && unlikely(atomic_read(&net->ct.count) > 
nf_conntrack_max)) { unsigned int hash = hash_conntrack(orig); if 
(!early_drop(net, hash)) { atomic_dec(&net->ct.count); if 
(net_ratelimit()) printk(KERN_WARNING "nf_conntrack: table full, 
dropping" " packet.\n"); return ERR_PTR(-ENOMEM); } }

I then set to nf_conntrack_max to 0 and I still get the dropped packets, 
which is expected given the first line of the code above.

I have not seen this on other Linux Kernels, although I have not tested 
this exact case on non openvz kernel (the vms are doing the traffic). Do 
you think this could be openvz specific? Should I boot this to kernel 
list? Below is info demonstrating my issue.

Thank you
Rick


#dmesg -c
# find /proc -name nf_conntrack_max
/proc/sys/net/netfilter/nf_conntrack_max
/proc/sys/net/nf_conntrack_max
cat /proc/sys/net/nf_conntrack_max
0
cat /proc/sys/net/netfilter/nf_conntrack_max
0
dmesg ; sleep 60
dmesg | tail -5
[248438.700906] nf_conntrack: table full, dropping packet.
[248438.833028] nf_conntrack: table full, dropping packet.
[248438.833289] nf_conntrack: table full, dropping packet.
[248438.840900] nf_conntrack: table full, dropping packet.
[248438.857631] nf_conntrack: table full, dropping packet.
[248438.991957] nf_conntrack: table full, dropping packet.

[root at enterprise linux-2.6.32]# uname -a
Linux 2.6.32-042stab062.2 #1 SMP Wed Oct 10 18:28:35 MSK 2012 x86_64 
x86_64 x86_64 GNU/Linux
[root at enterprise linux-2.6.32]#


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/devel/attachments/20121026/4441e765/attachment-0001.html>

More information about the Devel mailing list