[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] ip_conntrack table overflow



On Mon, 19 Jan 2004, Backhausen, Sven wrote:

Hi,

This is not a security-issue like 'buffer overflow'.
Its just that the conntrack module didnt reserved enough space
first time to handle all your connections. Try increasing
the limit in /proc/sys/net/ipv4/ip_conntrack_max

Sebastian

> hi list,
>
> i updated some of our SuSE-8.1 boxes to the newest kernel
> (k_smp-2.4.21-168) two weeks ago and now one of them stopped responding
> with following errors in /var/log/messages last night:
> kernel: ip_conntrack: table full, dropping packet.
>
> Here are the ip* modules that are loaded:
> ipt_REJECT              3288   3  (autoclean)
> iptable_mangle          2168   1  (autoclean)
> iptable_filter          1740   1  (autoclean)
> ip_nat_ftp              3376   0  (unused)
> iptable_nat            18072   1  [ip_nat_ftp]
> ip_conntrack_ftp        4336   1  [ip_nat_ftp]
> ip_conntrack           21832   3  [ipt_state ip_nat_ftp iptable_nat
> ip_conntrack_ftp]
> ip_tables              12248  10  [ipt_TCPMSS ipt_TOS ipt_state ipt_LOG
> ipt_REJECT iptable_mangle iptable_filter iptable_nat]
>
>
> Is there any known issue with the conntrack modules in the 2.4.21
> series?
> How do I increase the table size or monitor the usage of these tables?
>
> Btw, why does SuSEfirewall2 load the nat modules even when routing and
> nat is disabled in /etc/sysconfig/SuSEfirewall2?
>
> tia
>
> Sven
>
>
>

-- 
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@xxxxxxx - SuSE Security Team
~


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here