[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] ip_conntrack table overflow

hi list,

i updated some of our SuSE-8.1 boxes to the newest kernel (k_smp-2.4.21-168) two weeks ago and now one of them stopped responding with following errors in /var/log/messages last night:
kernel: ip_conntrack: table full, dropping packet.

Here are the ip* modules that are loaded:
ipt_REJECT              3288   3  (autoclean)
iptable_mangle          2168   1  (autoclean)
iptable_filter          1740   1  (autoclean)
ip_nat_ftp              3376   0  (unused)
iptable_nat            18072   1  [ip_nat_ftp]
ip_conntrack_ftp        4336   1  [ip_nat_ftp]
ip_conntrack 21832 3 [ipt_state ip_nat_ftp iptable_nat ip_conntrack_ftp] ip_tables 12248 10 [ipt_TCPMSS ipt_TOS ipt_state ipt_LOG ipt_REJECT iptable_mangle iptable_filter iptable_nat]

Is there any known issue with the conntrack modules in the 2.4.21 series?
How do I increase the table size or monitor the usage of these tables?

Btw, why does SuSEfirewall2 load the nat modules even when routing and nat is disabled in /etc/sysconfig/SuSEfirewall2?



Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here